How to fix CVE-2026-35521?

Within 24 hours: Identify all Pi-hole FTL deployments and document current versions (check Settings > System > FTL Version). Restrict DHCP configuration access to trusted administrators only and audit recent DHCP hosts configuration changes. Within 7 days: Isolate or disable DHCP functionality on vulnerable instances if possible, or implement network segmentation to limit access to Pi-hole admin interfaces. Within 30 days: Upgrade to Pi-hole FTL 6.6 or later once available, or evaluate alternative DNS/DHCP solutions if patching is delayed beyond 30 days.

Is Command Injection affected by CVE-2026-35521?

CVE-2026-35521 is a high-severity remote code execution vulnerability affecting Pi-hole FTL versions 6.0-6.5 that allows authenticated users with low-level access to execute arbitrary system commands on DNS/DHCP infrastructure.

CVE-2026-35521

EUVD-2026-19715 HIGH

2026-04-07 GitHub_M

8.8

CVSS 3.1

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

EUVD ID Assigned

Apr 07, 2026 - 16:00 euvd

EUVD-2026-19715

Analysis Generated

Apr 07, 2026 - 16:00 vuln.today

CVE Published

Apr 07, 2026 - 15:20 nvd

HIGH 8.8

Description

FTLDNS (pihole-FTL) provides an interactive API and also generates statistics for Pi-hole's Web interface. From 6.0 to before 6.6, the Pi-hole FTL engine contains a Remote Code Execution (RCE) vulnerability in the DHCP hosts configuration parameter (dhcp.hosts). This vulnerability allows an authenticated attacker to inject arbitrary dnsmasq configuration directives through newline characters, ultimately achieving command execution on the underlying system. This vulnerability is fixed in 6.6.

Analysis

Remote code execution in Pi-hole FTL engine versions 6.0 through 6.5 allows authenticated attackers to execute arbitrary system commands by injecting malicious dnsmasq configuration directives through newline characters in the DHCP hosts configuration parameter. Exploitation requires low-complexity network access with low-level authentication (CVSS 8.8, AV:N/AC:L/PR:L). …

Remediation

Within 24 hours: Identify all Pi-hole FTL deployments and document current versions (check Settings > System > FTL Version). Restrict DHCP configuration access to trusted administrators only and audit recent DHCP hosts configuration changes. …

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

Priority Score

Low Medium High Critical

KEV: 0

EPSS: +0.3

CVSS: +44

POC: 0

CVE-2026-35521 vulnerability details – vuln.today

Back

CVE-2026-35521

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Remediation

Analysis

Full analysis requires sign-in

Priority Score

Share

CVE-2026-35521

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Remediation

Full analysis requires sign-in

Priority Score

Share

External POC / Exploit Code