CVE-2026-35519
Received Received - Intake
Remote Code Execution in Pi-hole FTL via dns.hostRecord Injection

Publication date: 2026-04-07

Last updated on: 2026-04-28

Assigner: GitHub, Inc.

Description
FTLDNS (pihole-FTL) provides an interactive API and also generates statistics for Pi-hole's Web interface. From 6.0 to before 6.6, the Pi-hole FTL engine contains a Remote Code Execution (RCE) vulnerability in the DNS host record configuration parameter (dns.hostRecord). This vulnerability allows an authenticated attacker to inject arbitrary dnsmasq configuration directives through newline characters, ultimately achieving command execution on the underlying system. This vulnerability is fixed in 6.6.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-07
Last Modified
2026-04-28
Generated
2026-06-16
AI Q&A
2026-04-07
EPSS Evaluated
2026-06-14
NVD
CVE-2026-35519
EUVD
EUVD-2026-19711
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
pi-hole ftldns From 6.0 (inc) to 6.5 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-78 The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.
CWE-93 The product uses CRLF (carriage return line feeds) as a special element, e.g. to separate lines or records, but it does not neutralize or incorrectly neutralizes CRLF sequences from inputs.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

This vulnerability allows an authenticated attacker to execute arbitrary system commands with elevated privileges on the Pi-hole server, potentially leading to full system compromise.

Such a compromise can result in unauthorized access to sensitive data, including DNS logs and network configurations, which may contain personal or confidential information.

Exposure or exfiltration of this data could violate data protection regulations such as GDPR or HIPAA, which require safeguarding personal and sensitive information against unauthorized access.

Additionally, disruption of DNS infrastructure and potential lateral movement within networks could further impact the integrity and availability of systems, which are also critical aspects of compliance frameworks.

Executive Summary

CVE-2026-35519 is a Remote Code Execution (RCE) vulnerability in the Pi-hole FTL engine versions 6.0 to before 6.6. It arises from improper input validation in the dns.hostRecord configuration parameter, which is used to define custom DNS host records via the Pi-hole API.

The vulnerability occurs because the dns.hostRecord value is written directly into the dnsmasq configuration file without sanitizing newline characters. This allows an authenticated attacker to inject arbitrary dnsmasq configuration directives, including malicious commands.

Specifically, an attacker can inject newline characters followed by directives like leasefile-ro and dhcp-script, which cause dnsmasq to execute arbitrary shell commands, such as opening a reverse shell to the attacker.

Impact Analysis

This vulnerability allows an authenticated attacker with access to the Pi-hole administrative interface to execute arbitrary system commands with elevated privileges on the underlying system.

  • Full system compromise, including installing backdoors.
  • Exfiltration of sensitive data such as DNS logs and network configurations.
  • Lateral movement within the network.
  • DNS hijacking and disruption of DNS infrastructure.

The vulnerability has a high severity rating with a CVSS v3 score of 8.8, indicating a high impact on confidentiality, integrity, and availability.

Detection Guidance

This vulnerability can be detected by checking if your Pi-hole FTL engine version is between 6.0 and before 6.6, as these versions are vulnerable.

Detection involves verifying if unauthorized or suspicious dns.hostRecord configuration entries have been injected, especially those containing newline characters or dnsmasq directives such as leasefile-ro or dhcp-script.

You can inspect the dnsmasq configuration file used by Pi-hole FTL for unexpected entries by running commands like:

  • sudo cat /etc/dnsmasq.d/01-pihole.conf | grep -E 'leasefile-ro|dhcp-script'
  • sudo systemctl status pihole-FTL.service
  • Check Pi-hole API logs or configuration via API calls to see if suspicious PATCH requests have been made to /api/config with dns.hostRecord parameters containing newline characters.
Mitigation Strategies

The immediate mitigation step is to upgrade the Pi-hole FTL engine to version 6.6 or later, where this vulnerability is fixed.

Until the upgrade can be performed, restrict access to the Pi-hole administrative interface to trusted users only, as the vulnerability requires authentication.

Monitor and audit the dns.hostRecord configuration parameters for any suspicious entries containing newline characters or injected dnsmasq directives.

Restart the DNS service after remediation to ensure no malicious configuration is loaded.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-35519. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart