How to fix CVE-2026-35518?

Within 24 hours: Identify all Pi-hole FTL installations and document versions 6.0-6.5 currently deployed. Within 7 days: Restrict administrative and configuration access to Pi-hole instances to trusted personnel only; enable multi-factor authentication if available. Within 30 days: Monitor Pi-hole vendor communications for patch availability and plan upgrade to patched versions once released; evaluate alternative DNS filtering solutions if patch timeline is unacceptable for your risk posture.

Is Command Injection affected by CVE-2026-35518?

Pi-hole FTL DNS engine versions 6.0-6.5 contain a remote code execution vulnerability that allows low-privileged authenticated users to execute arbitrary system commands by manipulating DNS CNAME record configurations.

CVE-2026-35518

EUVD-2026-19685 HIGH

2026-04-07 GitHub_M

8.8

CVSS 3.1

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

EUVD ID Assigned

Apr 07, 2026 - 15:30 euvd

EUVD-2026-19685

Analysis Generated

Apr 07, 2026 - 15:30 vuln.today

CVE Published

Apr 07, 2026 - 15:17 nvd

HIGH 8.8

Description

FTLDNS (pihole-FTL) provides an interactive API and also generates statistics for Pi-hole's Web interface. From 6.0 to before 6.6, the Pi-hole FTL engine contains a Remote Code Execution (RCE) vulnerability in the DNS CNAME records configuration parameter (dns.cnameRecords). This vulnerability allows an authenticated attacker to inject arbitrary dnsmasq configuration directives through newline characters, ultimately achieving command execution on the underlying system. This vulnerability is fixed in 6.6.

Analysis

Remote code execution in Pi-hole FTL DNS engine versions 6.0 through 6.5 allows authenticated attackers to execute arbitrary system commands by injecting malicious dnsmasq configuration directives through newline characters in the DNS CNAME records parameter (dns.cnameRecords). Authentication requirements confirmed (CVSS PR:L - low privileges required). …

Remediation

Within 24 hours: Identify all Pi-hole FTL installations and document versions 6.0-6.5 currently deployed. Within 7 days: Restrict administrative and configuration access to Pi-hole instances to trusted personnel only; enable multi-factor authentication if available. …

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

Priority Score

Low Medium High Critical

KEV: 0

EPSS: +0.2

CVSS: +44

POC: 0

CVE-2026-35518 vulnerability details – vuln.today

Back

CVE-2026-35518

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Remediation

Analysis

Full analysis requires sign-in

Priority Score

Share

CVE-2026-35518

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Remediation

Full analysis requires sign-in

Priority Score

Share

External POC / Exploit Code