cbcvebase.

Pi-Hole Ftl vulnerabilities

8 known vulnerabilities affecting pi-hole/ftl.

Total CVEs
8
CISA KEV
0
Public exploits
0
Exploited in wild
0
Severity breakdown
HIGH7MEDIUM1

Vulnerabilities

Page 1 of 1
CVE-2026-39849P2HIGHCVSS 8.8fixed in 6.6.12026-05-05
CVE-2026-39849 [HIGH] CWE-93 CVE-2026-39849: Pi-hole FTL is the core engine of the Pi-hole network-level advertisement and tracker blocker. In ve Pi-hole FTL is the core engine of the Pi-hole network-level advertisement and tracker blocker. In versions before 6.6.1, the `dns.interface` configuration field in Pi-hole FTL accepted newline characters without validation, allowing an attacker to inject arbitrary directives into the generated dnsmasq configuration file. On installations with no admin
nvd
CVE-2026-35517P2HIGHCVSS 8.8v>= 6.0, < 6.62026-04-07
CVE-2026-35517 [HIGH] CWE-78 CVE-2026-35517: FTLDNS (pihole-FTL) provides an interactive API and also generates statistics for Pi-hole's Web inte FTLDNS (pihole-FTL) provides an interactive API and also generates statistics for Pi-hole's Web interface. From 6.0 to before 6.6, the Pi-hole FTL engine contains a Remote Code Execution (RCE) vulnerability in the upstream DNS servers configuration parameter (dns.upstreams). This vulnerability allows an authenticated attacker to inject arbitrary dnsmas
nvd
CVE-2026-35520P2HIGHCVSS 8.8v>= 6.0, < 6.62026-04-07
CVE-2026-35520 [HIGH] CWE-78 CVE-2026-35520: FTLDNS (pihole-FTL) provides an interactive API and also generates statistics for Pi-hole's Web inte FTLDNS (pihole-FTL) provides an interactive API and also generates statistics for Pi-hole's Web interface. From 6.0 to before 6.6, the Pi-hole FTL engine contains a Remote Code Execution (RCE) vulnerability in the DHCP lease time configuration parameter (dhcp.leaseTime). This vulnerability allows an authenticated attacker to inject arbitrary dnsmasq co
nvd
CVE-2026-35521P2HIGHCVSS 8.8v>= 6.0, < 6.62026-04-07
CVE-2026-35521 [HIGH] CWE-78 CVE-2026-35521: FTLDNS (pihole-FTL) provides an interactive API and also generates statistics for Pi-hole's Web inte FTLDNS (pihole-FTL) provides an interactive API and also generates statistics for Pi-hole's Web interface. From 6.0 to before 6.6, the Pi-hole FTL engine contains a Remote Code Execution (RCE) vulnerability in the DHCP hosts configuration parameter (dhcp.hosts). This vulnerability allows an authenticated attacker to inject arbitrary dnsmasq configurati
nvd
CVE-2026-35518P2HIGHCVSS 8.8v>= 6.0, < 6.62026-04-07
CVE-2026-35518 [HIGH] CWE-78 CVE-2026-35518: FTLDNS (pihole-FTL) provides an interactive API and also generates statistics for Pi-hole's Web inte FTLDNS (pihole-FTL) provides an interactive API and also generates statistics for Pi-hole's Web interface. From 6.0 to before 6.6, the Pi-hole FTL engine contains a Remote Code Execution (RCE) vulnerability in the DNS CNAME records configuration parameter (dns.cnameRecords). This vulnerability allows an authenticated attacker to inject arbitrary dnsmas
nvd
CVE-2026-35519P2HIGHCVSS 8.8v>= 6.0, < 6.62026-04-07
CVE-2026-35519 [HIGH] CWE-78 CVE-2026-35519: FTLDNS (pihole-FTL) provides an interactive API and also generates statistics for Pi-hole's Web inte FTLDNS (pihole-FTL) provides an interactive API and also generates statistics for Pi-hole's Web interface. From 6.0 to before 6.6, the Pi-hole FTL engine contains a Remote Code Execution (RCE) vulnerability in the DNS host record configuration parameter (dns.hostRecord). This vulnerability allows an authenticated attacker to inject arbitrary dnsmasq co
nvd
CVE-2026-44693P3HIGHCVSS 8.8fixed in 6.6.12026-06-10
CVE-2026-44693 [HIGH] CWE-362 CVE-2026-44693: Pi-hole FTL is the core engine of the Pi-hole network-level advertisement and tracker blocker. Prior Pi-hole FTL is the core engine of the Pi-hole network-level advertisement and tracker blocker. Prior to version 6.6.1, Pi-hole FTL contains a race condition vulnerability in the HTTP session management subsystem, introduced with the v6.0 rewrite of the embedded CivetWeb-based web server. This issue has been patched in version 6.6.1.
nvd
CVE-2026-35491P4MEDIUMCVSS 6.1v>= 6.0, < 6.62026-04-07
CVE-2026-35491 [MEDIUM] CWE-863 CVE-2026-35491: FTLDNS (pihole-FTL) provides an interactive API and also generates statistics for Pi-hole's Web inte FTLDNS (pihole-FTL) provides an interactive API and also generates statistics for Pi-hole's Web interface. From 6.0 to before 6.6, Pi-hole FTL supports a CLI password feature (webserver.api.cli_pw) that creates “CLI” API sessions intended to be read-only for configuration changes. While /api/config correctly blocks CLI sessions from mutating configu
nvd
Pi-Hole Ftl vulnerabilities | cvebase