EUVD-2026-19684
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
3Tags
Description
FTLDNS (pihole-FTL) provides an interactive API and also generates statistics for Pi-hole's Web interface. From 6.0 to before 6.6, the Pi-hole FTL engine contains a Remote Code Execution (RCE) vulnerability in the upstream DNS servers configuration parameter (dns.upstreams). This vulnerability allows an authenticated attacker to inject arbitrary dnsmasq configuration directives through newline characters, ultimately achieving command execution on the underlying system. This vulnerability is fixed in 6.6.
Analysis
Remote code execution in Pi-hole FTL engine versions 6.0 through 6.5 allows authenticated attackers with low privileges to execute arbitrary system commands by injecting newline-delimited dnsmasq configuration directives into the upstream DNS servers parameter (dns.upstreams). The vulnerability requires network access with authentication (CVSS:3.1 PR:L) but has low attack complexity and no user interaction required. …
Sign in for full analysis, threat intelligence, and remediation guidance.
Remediation
Within 24 hours: Inventory all Pi-hole FTL deployments and identify instances running versions 6.0-6.5; revoke or restrict low-privilege user account access to DNS configuration interfaces. Within 7 days: Implement network segmentation to limit administrative access to Pi-hole instances to trusted internal networks only; monitor authentication logs for unauthorized configuration changes. …
Sign in for detailed remediation steps.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today