Pi-Hole Ftldns vulnerabilities
8 known vulnerabilities affecting pi-hole/ftldns.
Total CVEs
8
CISA KEV
0
Public exploits
0
Exploited in wild
0
Severity breakdown
HIGH7MEDIUM1
Vulnerabilities
Page 1 of 1
CVE-2026-39849P2HIGHCVSS 8.8v6.62026-05-05
CVE-2026-39849 [HIGH] CWE-93 CVE-2026-39849: Pi-hole FTL is the core engine of the Pi-hole network-level advertisement and tracker blocker. In ve
Pi-hole FTL is the core engine of the Pi-hole network-level advertisement and tracker blocker. In versions before 6.6.1, the `dns.interface` configuration field in Pi-hole FTL accepted newline characters without validation, allowing an attacker to inject arbitrary directives into the generated dnsmasq configuration file. On installations with no admin
nvd
CVE-2026-35517P2HIGHCVSS 8.8≥ 6.0, ≤ 6.52026-04-07
CVE-2026-35517 [HIGH] CWE-78 CVE-2026-35517: FTLDNS (pihole-FTL) provides an interactive API and also generates statistics for Pi-hole's Web inte
FTLDNS (pihole-FTL) provides an interactive API and also generates statistics for Pi-hole's Web interface. From 6.0 to before 6.6, the Pi-hole FTL engine contains a Remote Code Execution (RCE) vulnerability in the upstream DNS servers configuration parameter (dns.upstreams). This vulnerability allows an authenticated attacker to inject arbitrary dnsmas
nvd
CVE-2026-35520P2HIGHCVSS 8.8≥ 6.0, ≤ 6.52026-04-07
CVE-2026-35520 [HIGH] CWE-78 CVE-2026-35520: FTLDNS (pihole-FTL) provides an interactive API and also generates statistics for Pi-hole's Web inte
FTLDNS (pihole-FTL) provides an interactive API and also generates statistics for Pi-hole's Web interface. From 6.0 to before 6.6, the Pi-hole FTL engine contains a Remote Code Execution (RCE) vulnerability in the DHCP lease time configuration parameter (dhcp.leaseTime). This vulnerability allows an authenticated attacker to inject arbitrary dnsmasq co
nvd
CVE-2026-35521P2HIGHCVSS 8.8≥ 6.0, ≤ 6.52026-04-07
CVE-2026-35521 [HIGH] CWE-78 CVE-2026-35521: FTLDNS (pihole-FTL) provides an interactive API and also generates statistics for Pi-hole's Web inte
FTLDNS (pihole-FTL) provides an interactive API and also generates statistics for Pi-hole's Web interface. From 6.0 to before 6.6, the Pi-hole FTL engine contains a Remote Code Execution (RCE) vulnerability in the DHCP hosts configuration parameter (dhcp.hosts). This vulnerability allows an authenticated attacker to inject arbitrary dnsmasq configurati
nvd
CVE-2026-35518P2HIGHCVSS 8.8≥ 6.0, ≤ 6.52026-04-07
CVE-2026-35518 [HIGH] CWE-78 CVE-2026-35518: FTLDNS (pihole-FTL) provides an interactive API and also generates statistics for Pi-hole's Web inte
FTLDNS (pihole-FTL) provides an interactive API and also generates statistics for Pi-hole's Web interface. From 6.0 to before 6.6, the Pi-hole FTL engine contains a Remote Code Execution (RCE) vulnerability in the DNS CNAME records configuration parameter (dns.cnameRecords). This vulnerability allows an authenticated attacker to inject arbitrary dnsmas
nvd
CVE-2026-35519P2HIGHCVSS 8.8≥ 6.0, ≤ 6.52026-04-07
CVE-2026-35519 [HIGH] CWE-78 CVE-2026-35519: FTLDNS (pihole-FTL) provides an interactive API and also generates statistics for Pi-hole's Web inte
FTLDNS (pihole-FTL) provides an interactive API and also generates statistics for Pi-hole's Web interface. From 6.0 to before 6.6, the Pi-hole FTL engine contains a Remote Code Execution (RCE) vulnerability in the DNS host record configuration parameter (dns.hostRecord). This vulnerability allows an authenticated attacker to inject arbitrary dnsmasq co
nvd
CVE-2021-29448P3HIGHCVSS 8.8v5.72021-04-15
CVE-2021-29448 [HIGH] CWE-79 CVE-2021-29448: Pi-hole is a Linux network-level advertisement and Internet tracker blocking application. The Stored
Pi-hole is a Linux network-level advertisement and Internet tracker blocking application. The Stored XSS exists in the Pi-hole Admin portal, which can be exploited by the malicious actor with the network access to DNS server. See the referenced GitHub security advisory for patch details.
nvd
CVE-2026-35491P4MEDIUMCVSS 6.1≥ 6.0, < 6.62026-04-07
CVE-2026-35491 [MEDIUM] CWE-863 CVE-2026-35491: FTLDNS (pihole-FTL) provides an interactive API and also generates statistics for Pi-hole's Web inte
FTLDNS (pihole-FTL) provides an interactive API and also generates statistics for Pi-hole's Web interface. From 6.0 to before 6.6, Pi-hole FTL supports a CLI password feature (webserver.api.cli_pw) that creates “CLI” API sessions intended to be read-only for configuration changes. While /api/config correctly blocks CLI sessions from mutating configu
nvd