{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-35519", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-04-03T02:15:39.280Z", "datePublished": "2026-04-07T15:18:27.377Z", "dateUpdated": "2026-04-09T16:19:08.569Z"}, "containers": {"cna": {"title": "Pi-hole FTL affected by Remote Code Execution (RCE) via dns.hostRecord Newline Injection", "problemTypes": [{"descriptions": [{"cweId": "CWE-78", "lang": "en", "description": "CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-93", "lang": "en", "description": "CWE-93: Improper Neutralization of CRLF Sequences ('CRLF Injection')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/pi-hole/FTL/security/advisories/GHSA-wxhv-w77q-6qwp", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/pi-hole/FTL/security/advisories/GHSA-wxhv-w77q-6qwp"}], "affected": [{"vendor": "pi-hole", "product": "FTL", "versions": [{"version": ">= 6.0, < 6.6", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-07T15:18:27.377Z"}, "descriptions": [{"lang": "en", "value": "FTLDNS (pihole-FTL) provides an interactive API and also generates statistics for Pi-hole's Web interface. From 6.0 to before 6.6, the Pi-hole FTL engine contains a Remote Code Execution (RCE) vulnerability in the DNS host record configuration parameter (dns.hostRecord). This vulnerability allows an authenticated attacker to inject arbitrary dnsmasq configuration directives through newline characters, ultimately achieving command execution on the underlying system. This vulnerability is fixed in 6.6."}], "source": {"advisory": "GHSA-wxhv-w77q-6qwp", "discovery": "UNKNOWN"}}, "adp": [{"references": [{"url": "https://github.com/pi-hole/FTL/security/advisories/GHSA-wxhv-w77q-6qwp", "tags": ["exploit"]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-09T16:12:50.932702Z", "id": "CVE-2026-35519", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-09T16:19:08.569Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-35519", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-04-09T16:12:50.932702Z"}}}], "references": [{"url": "https://github.com/pi-hole/FTL/security/advisories/GHSA-wxhv-w77q-6qwp", "tags": ["exploit"]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-09T16:13:26.087Z"}}], "cna": {"title": "Pi-hole FTL affected by Remote Code Execution (RCE) via dns.hostRecord Newline Injection", "source": {"advisory": "GHSA-wxhv-w77q-6qwp", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.8, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "pi-hole", "product": "FTL", "versions": [{"status": "affected", "version": ">= 6.0, < 6.6"}]}], "references": [{"url": "https://github.com/pi-hole/FTL/security/advisories/GHSA-wxhv-w77q-6qwp", "name": "https://github.com/pi-hole/FTL/security/advisories/GHSA-wxhv-w77q-6qwp", "tags": ["x_refsource_CONFIRM"]}], "descriptions": [{"lang": "en", "value": "FTLDNS (pihole-FTL) provides an interactive API and also generates statistics for Pi-hole's Web interface. From 6.0 to before 6.6, the Pi-hole FTL engine contains a Remote Code Execution (RCE) vulnerability in the DNS host record configuration parameter (dns.hostRecord). This vulnerability allows an authenticated attacker to inject arbitrary dnsmasq configuration directives through newline characters, ultimately achieving command execution on the underlying system. This vulnerability is fixed in 6.6."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-78", "description": "CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-93", "description": "CWE-93: Improper Neutralization of CRLF Sequences ('CRLF Injection')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-07T15:18:27.377Z"}}}, "cveMetadata": {"cveId": "CVE-2026-35519", "state": "PUBLISHED", "dateUpdated": "2026-04-09T16:19:08.569Z", "dateReserved": "2026-04-03T02:15:39.280Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-04-07T15:18:27.377Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "FTLDNS (pihole-FTL) provides an interactive API and also generates statistics for Pi-hole's Web interface. From 6.0 to before 6.6, the Pi-hole FTL engine contains a Remote Code Execution (RCE) vulnerability in the DNS host record configuration parameter (dns.hostRecord). This vulnerability allows an authenticated attacker to inject arbitrary dnsmasq configuration directives through newline characters, ultimately achieving command execution on the underlying system. This vulnerability is fixed in 6.6."}], "id": "CVE-2026-35519", "lastModified": "2026-04-09T17:16:25.673", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-04-07T16:16:28.397", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/pi-hole/FTL/security/advisories/GHSA-wxhv-w77q-6qwp"}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "url": "https://github.com/pi-hole/FTL/security/advisories/GHSA-wxhv-w77q-6qwp"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Undergoing Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-78"}, {"lang": "en", "value": "CWE-93"}], "source": "security-advisories@github.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[6.0,6.6)"}}], "enrichment": {"confidence": 88.0, "confidence_source": "matching", "scores": [{"score": 88.0, "source": "matching"}]}, "original": {"product": "FTL", "source": "cna", "vendor": "pi-hole"}, "product": "ftldns", "vendor": "pi-hole"}], "analysis": {"en": {"generated_at": "2026-04-07T22:48:34.254386+00:00", "value": {"mitigation_remediation": ["Upgrade Pi\u2011hole FTL to version 6.6 or newer."], "summary": {"action": "Patch Immediately", "impact": "Remote Code Execution"}, "threat_synthesis": {"affected_systems": "Pi\u2011hole FTL (pihole\u2011FTL) versions 6.0 through 6.5 are affected. Users running any of these releases are vulnerable until they upgrade to a patched version.", "description_and_impact": "An authenticated attacker can inject newline characters into the dns.hostRecord setting of Pi\u2011hole FTL, causing arbitrary dnsmasq configuration directives to be interpreted and ultimately executing shell commands on the host. This vulnerability is a command\u2011execution flaw combined with newline injection. If exploited, the attacker can gain full control of the underlying operating system, allowing data modification or destruction.", "risk_and_exploitability": "The CVSS score of 8.8 indicates high severity, and the flaw requires authentication to the API. Once credentials are obtained, the attacker can exploit the newline injection without further conditions. The absence of an EPSS score and the lack of listing in KEV suggest no documented active exploitation, but the combination of high severity and potential for full system compromise makes the risk critical, warranting immediate attention."}}}}, "created": "2026-04-08T19:48:20.942448+00:00", "updated": "2026-04-09T08:24:15.876636+00:00", "vendors": ["pi-hole", "pi-hole$PRODUCT$ftldns"]}