How to fix CVE-2026-35520?

Within 24 hours: Identify all Pi-hole FTL instances running versions 6.0-6.5 and document their network exposure. Restrict administrative interface access via firewall rules or network segmentation to trusted administrative networks only. Within 7 days: Implement network-based access controls limiting who can authenticate to the Pi-hole web interface and API endpoints; review and revoke unnecessary user accounts with administrative or configuration privileges. Within 30 days: Monitor vendor (Pi-hole) advisory channels for patch availability; consider upgrading to version 6.6 or later if released, or evaluate alternative DNS filtering solutions if patches remain unavailable.

Is Command Injection affected by CVE-2026-35520?

Pi-hole FTL versions 6.0-6.5 contain a remote code execution vulnerability in the DHCP configuration handler that allows authenticated users to execute arbitrary commands on systems running Pi-hole.

CVE-2026-35520

EUVD-2026-19713 HIGH

2026-04-07 GitHub_M

8.8

CVSS 3.1

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

EUVD ID Assigned

Apr 07, 2026 - 16:00 euvd

EUVD-2026-19713

Analysis Generated

Apr 07, 2026 - 16:00 vuln.today

CVE Published

Apr 07, 2026 - 15:19 nvd

HIGH 8.8

Description

FTLDNS (pihole-FTL) provides an interactive API and also generates statistics for Pi-hole's Web interface. From 6.0 to before 6.6, the Pi-hole FTL engine contains a Remote Code Execution (RCE) vulnerability in the DHCP lease time configuration parameter (dhcp.leaseTime). This vulnerability allows an authenticated attacker to inject arbitrary dnsmasq configuration directives through newline characters, ultimately achieving command execution on the underlying system. This vulnerability is fixed in 6.6.

Analysis

Remote code execution in Pi-hole FTL engine versions 6.0 through 6.5 allows authenticated attackers to inject arbitrary dnsmasq configuration directives via newline character injection in the DHCP lease time parameter (dhcp.leaseTime), leading to command execution on the underlying system. Affects the FTLDNS component that provides Pi-hole's interactive API and web statistics. …

Remediation

Within 24 hours: Identify all Pi-hole FTL instances running versions 6.0-6.5 and document their network exposure. Restrict administrative interface access via firewall rules or network segmentation to trusted administrative networks only. …

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

Priority Score

Low Medium High Critical

KEV: 0

EPSS: +0.2

CVSS: +44

POC: 0

CVE-2026-35520 vulnerability details – vuln.today

Back

CVE-2026-35520

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Remediation

Analysis

Full analysis requires sign-in

Priority Score

Share

CVE-2026-35520

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Remediation

Full analysis requires sign-in

Priority Score

Share

External POC / Exploit Code