Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
7DescriptionGitHub Advisory
FTLDNS (pihole-FTL) provides an interactive API and also generates statistics for Pi-hole's Web interface. From 6.0 to before 6.6, the Pi-hole FTL engine contains a Remote Code Execution (RCE) vulnerability in the DHCP lease time configuration parameter (dhcp.leaseTime). This vulnerability allows an authenticated attacker to inject arbitrary dnsmasq configuration directives through newline characters, ultimately achieving command execution on the underlying system. This vulnerability is fixed in 6.6.
AnalysisAI
Remote code execution in Pi-hole FTL engine versions 6.0 through 6.5 allows authenticated attackers to inject arbitrary dnsmasq configuration directives via newline character injection in the DHCP lease time parameter (dhcp.leaseTime), leading to command execution on the underlying system. Affects the FTLDNS component that provides Pi-hole's interactive API and web statistics. No public exploit identified at time of analysis, though exploitation requires only low-complexity attack methods with network access and low-privilege authentication (CVSS 8.8).
Technical ContextAI
Pi-hole FTL (Faster Than Light DNS) is the core engine powering Pi-hole's DNS and DHCP services, providing telemetry and configuration management. This vulnerability exploits insufficient input validation in the DHCP lease time configuration parameter, classified as CWE-78 (OS Command Injection). The attack leverages newline character injection to break out of the intended configuration context and inject arbitrary dnsmasq configuration directives. Since dnsmasq configuration files support various directives that can execute external programs (such as dhcp-script or dhcp-luascript options), an attacker can craft malicious input that ultimately results in arbitrary command execution with the privileges of the FTL process. The vulnerability exists in the configuration parsing layer where user-supplied DHCP lease time values are incorporated into dnsmasq configuration without proper sanitization of control characters.
RemediationAI
Upgrade Pi-hole FTL to version 6.6 or later, which contains fixes for the newline injection vulnerability in DHCP lease time configuration parsing. The vendor-released patch is available through standard Pi-hole update mechanisms or can be obtained directly from the Pi-hole GitHub repository. Follow the official update procedure documented at the vendor advisory https://github.com/pi-hole/FTL/security/advisories/GHSA-fqv2-qhfh-ghcj. As an interim mitigation if immediate patching is not feasible, restrict access to the Pi-hole administrative interface to trusted networks only using firewall rules, disable remote administrative access, and audit user accounts with DHCP configuration permissions. Review DHCP configuration for any suspicious entries that may indicate prior exploitation. After upgrading, verify the installed version is 6.6 or higher using the Pi-hole administrative interface or command-line tools.
Remote code execution in Pi-hole FTL engine versions 6.0 through 6.5 allows authenticated attackers to execute arbitrary
Remote code execution in Pi-hole FTL 6.0 through 6.5 allows authenticated attackers to execute arbitrary commands via ne
Remote code execution in Pi-hole FTL DNS engine versions 6.0 through 6.5 allows authenticated attackers to execute arbit
Remote code execution in Pi-hole FTL engine versions 6.0 through 6.5 allows authenticated attackers with low privileges
Session hijacking in Pi-hole FTL versions prior to 6.6.1 stems from a race condition in the CivetWeb-based HTTP session
The ftlserver component of TIBCO Software Inc.'s TIBCO FTL - Community Edition, TIBCO FTL - Developer Edition, TIBCO FTL
The realm configuration component of TIBCO Software Inc.'s TIBCO FTL Community Edition, TIBCO FTL Developer Edition, TIB
The realm server (tibrealmserver) component of TIBCO Software Inc. Rated high severity (CVSS 8.8), this vulnerability is
The ftlserver component of TIBCO Software Inc.'s TIBCO FTL - Community Edition, TIBCO FTL - Developer Edition, TIBCO FTL
The FTL Server (tibftlserver), FTL C API, FTL Golang API, FTL Java API, and FTL .Net API components of TIBCO Software In
The Windows Installation component of TIBCO Software Inc.'s TIBCO FTL - Community Edition, TIBCO FTL - Developer Edition
The FTL Server (tibftlserver) and Docker images containing tibftlserver components of TIBCO Software Inc.'s TIBCO Active
Same weakness CWE-78 – OS Command Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-19713