{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-35520", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-04-03T02:15:39.280Z", "datePublished": "2026-04-07T15:19:21.875Z", "dateUpdated": "2026-04-09T14:35:45.884Z"}, "containers": {"cna": {"title": "Pi-hole FTL affected by Remote Code Execution (RCE) via dhcp.leaseTime Newline Injection", "problemTypes": [{"descriptions": [{"cweId": "CWE-78", "lang": "en", "description": "CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-93", "lang": "en", "description": "CWE-93: Improper Neutralization of CRLF Sequences ('CRLF Injection')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/pi-hole/FTL/security/advisories/GHSA-fqv2-qhfh-ghcj", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/pi-hole/FTL/security/advisories/GHSA-fqv2-qhfh-ghcj"}], "affected": [{"vendor": "pi-hole", "product": "FTL", "versions": [{"version": ">= 6.0, < 6.6", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-07T15:19:21.875Z"}, "descriptions": [{"lang": "en", "value": "FTLDNS (pihole-FTL) provides an interactive API and also generates statistics for Pi-hole's Web interface. From 6.0 to before 6.6, the Pi-hole FTL engine contains a Remote Code Execution (RCE) vulnerability in the DHCP lease time configuration parameter (dhcp.leaseTime). This vulnerability allows an authenticated attacker to inject arbitrary dnsmasq configuration directives through newline characters, ultimately achieving command execution on the underlying system. This vulnerability is fixed in 6.6."}], "source": {"advisory": "GHSA-fqv2-qhfh-ghcj", "discovery": "UNKNOWN"}}, "adp": [{"references": [{"url": "https://github.com/pi-hole/FTL/security/advisories/GHSA-fqv2-qhfh-ghcj", "tags": ["exploit"]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-09T14:35:40.330714Z", "id": "CVE-2026-35520", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-09T14:35:45.884Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-35520", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-04-09T14:35:40.330714Z"}}}], "references": [{"url": "https://github.com/pi-hole/FTL/security/advisories/GHSA-fqv2-qhfh-ghcj", "tags": ["exploit"]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-09T14:35:35.567Z"}}], "cna": {"title": "Pi-hole FTL affected by Remote Code Execution (RCE) via dhcp.leaseTime Newline Injection", "source": {"advisory": "GHSA-fqv2-qhfh-ghcj", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.8, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "pi-hole", "product": "FTL", "versions": [{"status": "affected", "version": ">= 6.0, < 6.6"}]}], "references": [{"url": "https://github.com/pi-hole/FTL/security/advisories/GHSA-fqv2-qhfh-ghcj", "name": "https://github.com/pi-hole/FTL/security/advisories/GHSA-fqv2-qhfh-ghcj", "tags": ["x_refsource_CONFIRM"]}], "descriptions": [{"lang": "en", "value": "FTLDNS (pihole-FTL) provides an interactive API and also generates statistics for Pi-hole's Web interface. From 6.0 to before 6.6, the Pi-hole FTL engine contains a Remote Code Execution (RCE) vulnerability in the DHCP lease time configuration parameter (dhcp.leaseTime). This vulnerability allows an authenticated attacker to inject arbitrary dnsmasq configuration directives through newline characters, ultimately achieving command execution on the underlying system. This vulnerability is fixed in 6.6."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-78", "description": "CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-93", "description": "CWE-93: Improper Neutralization of CRLF Sequences ('CRLF Injection')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-07T15:19:21.875Z"}}}, "cveMetadata": {"cveId": "CVE-2026-35520", "state": "PUBLISHED", "dateUpdated": "2026-04-09T14:35:45.884Z", "dateReserved": "2026-04-03T02:15:39.280Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-04-07T15:19:21.875Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "FTLDNS (pihole-FTL) provides an interactive API and also generates statistics for Pi-hole's Web interface. From 6.0 to before 6.6, the Pi-hole FTL engine contains a Remote Code Execution (RCE) vulnerability in the DHCP lease time configuration parameter (dhcp.leaseTime). This vulnerability allows an authenticated attacker to inject arbitrary dnsmasq configuration directives through newline characters, ultimately achieving command execution on the underlying system. This vulnerability is fixed in 6.6."}], "id": "CVE-2026-35520", "lastModified": "2026-04-09T15:16:12.417", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-04-07T16:16:28.550", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/pi-hole/FTL/security/advisories/GHSA-fqv2-qhfh-ghcj"}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "url": "https://github.com/pi-hole/FTL/security/advisories/GHSA-fqv2-qhfh-ghcj"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Undergoing Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-78"}, {"lang": "en", "value": "CWE-93"}], "source": "security-advisories@github.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[6.0,6.6)"}}], "enrichment": {"confidence": 88.0, "confidence_source": "matching", "scores": [{"score": 88.0, "source": "matching"}]}, "original": {"product": "FTL", "source": "cna", "vendor": "pi-hole"}, "product": "ftldns", "vendor": "pi-hole"}], "analysis": {"en": {"generated_at": "2026-04-07T22:48:17.840041+00:00", "value": {"mitigation_remediation": ["Upgrade PI\u2011hole to version 6.6 or later to eliminate the vulnerability", "If an upgrade is not immediately possible, restrict or disable the DHCP server feature so that dhcp.leaseTime cannot be altered", "Limit authenticated API and web interface access to trusted administrators only to reduce the attack surface"], "summary": {"action": "Immediate Patch", "impact": "Remote Code Execution"}, "threat_synthesis": {"affected_systems": "The affected product is PI\u2011hole FTL, the DNS forwarding and blocking engine used by the Pi\u2011hole network advertising platform. Anyone running PI\u2011hole FTL versions 6.0 through 6.5, inclusive, is potentially vulnerable. The vulnerability is fixed in release 6.6, so any installation of that version or later is immune.", "description_and_impact": "PI\u2011hole FTL (pihole\u2011FTL) includes a remote code execution vulnerability that arises when the DHCP lease time setting, dhcp.leaseTime, accepts newline characters that are then interpreted as dnsmasq configuration directives. By exploiting this flaw, an attacker who is authenticated and has the ability to modify the lease time can inject arbitrary commands that execute on the host operating system, leading to full system compromise. The weakness stems from improper handling of newline characters in configuration input, corresponding to CWE\u201178 and CWE\u201193. The vulnerability is present in FTL releases from version 6.0 up to, but not including, version 6.6.", "risk_and_exploitability": "The CVSS score for this issue is 8.8, indicating high severity. Because the exploit requires authenticated access to modify DHCP settings or the API, the attacker's success depends on prior compromise or privileged access to the PI\u2011hole management interface. The EPSS score is not available, and the vulnerability is not listed in CISA\u2019s KEV catalog, suggesting that large\u2011scale, publicly known exploitation has not yet been documented. Nonetheless, the potential for catastrophic system compromise warrants serious attention and prompt remediation."}}}}, "created": "2026-04-08T19:48:19.905526+00:00", "updated": "2026-04-09T08:24:14.876574+00:00", "vendors": ["pi-hole", "pi-hole$PRODUCT$ftldns"]}