Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
7DescriptionGitHub Advisory
FTLDNS (pihole-FTL) provides an interactive API and also generates statistics for Pi-hole's Web interface. From 6.0 to before 6.6, the Pi-hole FTL engine contains a Remote Code Execution (RCE) vulnerability in the DHCP hosts configuration parameter (dhcp.hosts). This vulnerability allows an authenticated attacker to inject arbitrary dnsmasq configuration directives through newline characters, ultimately achieving command execution on the underlying system. This vulnerability is fixed in 6.6.
AnalysisAI
Remote code execution in Pi-hole FTL engine versions 6.0 through 6.5 allows authenticated attackers to execute arbitrary system commands by injecting malicious dnsmasq configuration directives through newline characters in the DHCP hosts configuration parameter. Exploitation requires low-complexity network access with low-level authentication (CVSS 8.8, AV:N/AC:L/PR:L). No public exploit identified at time of analysis, though the vulnerability's straightforward injection mechanism and the popularity of Pi-hole as a DNS/DHCP solution elevate practical risk for environments with multiple administrative users or compromised credentials.
Technical ContextAI
Pi-hole FTL (Faster Than Light DNS) serves as the core DNS and DHCP engine for Pi-hole network-wide ad blocking systems, interfacing directly with dnsmasq for DNS/DHCP services. This vulnerability exploits CWE-78 (OS Command Injection) through insufficient input sanitization in the dhcp.hosts configuration parameter processing. When FTL translates user-supplied DHCP host entries into dnsmasq configuration directives, newline characters are not properly escaped or validated, allowing attackers to break out of the intended configuration context. By injecting newline-delimited dnsmasq directives such as 'dhcp-script=' or 'conf-file=', an authenticated attacker can specify arbitrary shell scripts to be executed with the privileges of the FTL process, which typically runs with elevated system permissions to manage network services. The affected product is specifically cpe:2.3:a:pi-hole:ftl:*:*:*:*:*:*:*:* covering the FTL component rather than the broader Pi-hole web interface.
RemediationAI
Immediately upgrade Pi-hole FTL to version 6.6 or later, which contains input validation fixes that properly sanitize newline characters in the dhcp.hosts configuration parameter. The vendor-released patch in version 6.6 addresses the underlying command injection vulnerability by implementing strict input filtering and escaping mechanisms for DHCP configuration entries. Administrators should access the GitHub security advisory at https://github.com/pi-hole/FTL/security/advisories/GHSA-vfmq-jrx3-wv3c for upgrade instructions and release notes. As a temporary risk mitigation measure for environments unable to immediately patch, restrict administrative access to the Pi-hole interface through network segmentation, implement multi-factor authentication if supported by deployment configuration, audit existing DHCP host entries for suspicious newline characters or unexpected configuration directives, and monitor FTL process execution for anomalous child processes. However, these workarounds do not eliminate the vulnerability and should only serve as interim controls pending upgrade to version 6.6.
Remote code execution in Pi-hole FTL engine versions 6.0 through 6.5 allows authenticated attackers to inject arbitrary
Remote code execution in Pi-hole FTL 6.0 through 6.5 allows authenticated attackers to execute arbitrary commands via ne
Remote code execution in Pi-hole FTL DNS engine versions 6.0 through 6.5 allows authenticated attackers to execute arbit
Remote code execution in Pi-hole FTL engine versions 6.0 through 6.5 allows authenticated attackers with low privileges
Session hijacking in Pi-hole FTL versions prior to 6.6.1 stems from a race condition in the CivetWeb-based HTTP session
The ftlserver component of TIBCO Software Inc.'s TIBCO FTL - Community Edition, TIBCO FTL - Developer Edition, TIBCO FTL
The realm configuration component of TIBCO Software Inc.'s TIBCO FTL Community Edition, TIBCO FTL Developer Edition, TIB
The realm server (tibrealmserver) component of TIBCO Software Inc. Rated high severity (CVSS 8.8), this vulnerability is
The ftlserver component of TIBCO Software Inc.'s TIBCO FTL - Community Edition, TIBCO FTL - Developer Edition, TIBCO FTL
The FTL Server (tibftlserver), FTL C API, FTL Golang API, FTL Java API, and FTL .Net API components of TIBCO Software In
The Windows Installation component of TIBCO Software Inc.'s TIBCO FTL - Community Edition, TIBCO FTL - Developer Edition
The FTL Server (tibftlserver) and Docker images containing tibftlserver components of TIBCO Software Inc.'s TIBCO Active
Same weakness CWE-78 – OS Command Injection
View allSame technique Command Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-19715