Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
7DescriptionGitHub Advisory
FTLDNS (pihole-FTL) provides an interactive API and also generates statistics for Pi-hole's Web interface. From 6.0 to before 6.6, the Pi-hole FTL engine contains a Remote Code Execution (RCE) vulnerability in the DNS host record configuration parameter (dns.hostRecord). This vulnerability allows an authenticated attacker to inject arbitrary dnsmasq configuration directives through newline characters, ultimately achieving command execution on the underlying system. This vulnerability is fixed in 6.6.
AnalysisAI
Remote code execution in Pi-hole FTL 6.0 through 6.5 allows authenticated attackers to execute arbitrary commands via newline injection in DNS host record configuration. The vulnerability exploits improper input sanitization in the dns.hostRecord parameter, enabling injection of malicious dnsmasq directives that execute at the system level. With CVSS 8.8 (network-accessible, low complexity, requires low-privilege authentication), this represents a critical risk for Pi-hole deployments where administrative access controls are weak. No public exploit identified at time of analysis, though the attack vector is straightforward for authenticated users.
Technical ContextAI
Pi-hole FTL (Faster Than Light DNS) is the core DNS and DHCP engine powering Pi-hole network-wide ad blocking systems. The vulnerability stems from CWE-78 (OS Command Injection) in the DNS host record configuration interface. When authenticated users configure custom DNS host records through the dns.hostRecord parameter, FTL passes these values to the underlying dnsmasq daemon without proper sanitization of newline characters. An attacker can inject newline-delimited dnsmasq configuration directives, including exec statements or conf-file directives pointing to attacker-controlled configuration files. Since dnsmasq runs with elevated privileges to bind to port 53 and manage system DNS, any injected commands execute with the same privilege level as the FTL service. The affected product CPE cpe:2.3:a:pi-hole:ftl:*:*:*:*:*:*:*:* confirms this impacts the FTL component specifically across the 6.0-6.5 version range.
RemediationAI
Upgrade Pi-hole FTL to version 6.6 or later, which contains the complete fix for the newline injection vulnerability in DNS host record configuration. The vendor-released patch is available through standard Pi-hole update mechanisms using 'pihole -up' command or manual installation from the official Pi-hole repository. Organizations unable to immediately upgrade should implement compensating controls including restricting administrative access to the Pi-hole web interface to trusted networks only, enforcing strong authentication credentials for admin accounts, monitoring FTL logs for suspicious dnsmasq configuration changes, and implementing network segmentation to limit the blast radius of potential compromise. Complete remediation guidance and update procedures are documented in the GitHub Security Advisory at https://github.com/pi-hole/FTL/security/advisories/GHSA-wxhv-w77q-6qwp. No workarounds exist to fully mitigate the vulnerability without upgrading, as the flaw is architectural in the configuration parsing logic.
Remote code execution in Pi-hole FTL engine versions 6.0 through 6.5 allows authenticated attackers to execute arbitrary
Remote code execution in Pi-hole FTL engine versions 6.0 through 6.5 allows authenticated attackers to inject arbitrary
Remote code execution in Pi-hole FTL DNS engine versions 6.0 through 6.5 allows authenticated attackers to execute arbit
Remote code execution in Pi-hole FTL engine versions 6.0 through 6.5 allows authenticated attackers with low privileges
Session hijacking in Pi-hole FTL versions prior to 6.6.1 stems from a race condition in the CivetWeb-based HTTP session
The ftlserver component of TIBCO Software Inc.'s TIBCO FTL - Community Edition, TIBCO FTL - Developer Edition, TIBCO FTL
The realm configuration component of TIBCO Software Inc.'s TIBCO FTL Community Edition, TIBCO FTL Developer Edition, TIB
The realm server (tibrealmserver) component of TIBCO Software Inc. Rated high severity (CVSS 8.8), this vulnerability is
The ftlserver component of TIBCO Software Inc.'s TIBCO FTL - Community Edition, TIBCO FTL - Developer Edition, TIBCO FTL
The FTL Server (tibftlserver), FTL C API, FTL Golang API, FTL Java API, and FTL .Net API components of TIBCO Software In
The Windows Installation component of TIBCO Software Inc.'s TIBCO FTL - Community Edition, TIBCO FTL - Developer Edition
The FTL Server (tibftlserver) and Docker images containing tibftlserver components of TIBCO Software Inc.'s TIBCO Active
Same weakness CWE-78 – OS Command Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-19711