Cyber Posture

CVE-2026-35519

High

Published: 07 April 2026

Published
07 April 2026
Modified
09 April 2026
KEV Added
Patch
CVSS Score 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0026 49.5th percentile
Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Description

FTLDNS (pihole-FTL) provides an interactive API and also generates statistics for Pi-hole's Web interface. From 6.0 to before 6.6, the Pi-hole FTL engine contains a Remote Code Execution (RCE) vulnerability in the DNS host record configuration parameter (dns.hostRecord). This vulnerability…

more

allows an authenticated attacker to inject arbitrary dnsmasq configuration directives through newline characters, ultimately achieving command execution on the underlying system. This vulnerability is fixed in 6.6.

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match
prevent

SI-10 directly prevents the injection vulnerability by validating dns.hostRecord inputs against malicious newline characters and dnsmasq directives.

SI-2 Flaw Remediation good match
prevent

SI-2 mitigates the RCE flaw comprehensively by requiring timely remediation through upgrading Pi-hole FTL to version 6.6 or later.

SI-9 Information Input Restrictions good match
prevent

SI-9 restricts dns.hostRecord inputs to safe formats, such as prohibiting newlines and special characters used for dnsmasq command injection.

Security SummaryAI

CVE-2026-35519 is a Remote Code Execution (RCE) vulnerability in the Pi-hole FTL engine, also known as FTLDNS (pihole-FTL), which provides an interactive API and generates statistics for Pi-hole's Web interface. The flaw resides in the dns.hostRecord configuration parameter and affects versions from 6.0 up to but not including 6.6. It stems from improper handling of input (CWE-93) that enables injection of arbitrary dnsmasq configuration directives via newline characters (CWE-78), leading to command execution on the underlying system. The vulnerability carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).

An authenticated attacker with low-privilege access (PR:L) can exploit this remotely over the network (AV:N) with low complexity and no user interaction required. By crafting malicious input for the dns.hostRecord parameter through the FTL API or Pi-hole's Web interface, the attacker injects newline-separated dnsmasq directives that execute arbitrary commands on the host system, potentially granting full control including data exfiltration, persistence, or further lateral movement.

The vulnerability is addressed in Pi-hole FTL version 6.6. Security practitioners should upgrade to this version or later. Additional details are available in the GitHub security advisory at https://github.com/pi-hole/FTL/security/advisories/GHSA-wxhv-w77q-6qwp.

Details

CWE(s)
CWE-78CWE-93

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
T1210 Exploitation of Remote Services Lateral Movement
Adversaries may exploit remote services to gain unauthorized access to internal systems once inside of a network.
attack.mitre.org →
T1059.004 Unix Shell Execution
Adversaries may abuse Unix shell commands and scripts for execution.
attack.mitre.org →
T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
attack.mitre.org →
Why these techniques?

RCE via OS command injection (CWE-78) in remote public-facing Pi-hole FTLDNS API/service (dns.hostRecord parameter), enabling exploitation of public-facing application/remote services, Unix shell execution, and privilege escalation from low-priv authentication to high-impact system command execution.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References