Cyber Posture

CVE-2026-35520

High

Published: 07 April 2026

Published
07 April 2026
Modified
09 April 2026
KEV Added
Patch
CVSS Score 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0042 61.8th percentile
Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Description

FTLDNS (pihole-FTL) provides an interactive API and also generates statistics for Pi-hole's Web interface. From 6.0 to before 6.6, the Pi-hole FTL engine contains a Remote Code Execution (RCE) vulnerability in the DHCP lease time configuration parameter (dhcp.leaseTime). This vulnerability…

more

allows an authenticated attacker to inject arbitrary dnsmasq configuration directives through newline characters, ultimately achieving command execution on the underlying system. This vulnerability is fixed in 6.6.

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match
prevent

Timely flaw remediation through patching to Pi-hole FTL version 6.6 directly eliminates the RCE vulnerability in the dhcp.leaseTime parameter processing.

SI-10 Information Input Validation good match
prevent

Information input validation at the FTL API enforces sanitization of the dhcp.leaseTime parameter to block newline injections and malicious dnsmasq directives.

AC-6 Least Privilege partial match
prevent

Least privilege restricts low-privilege authenticated users from accessing or modifying the vulnerable dhcp.leaseTime configuration parameter via the API.

Security SummaryAI

CVE-2026-35520 is a remote code execution (RCE) vulnerability in the Pi-hole FTL engine, also known as FTLDNS, which provides an interactive API and generates statistics for Pi-hole's web interface. Affecting versions from 6.0 up to but not including 6.6, the flaw resides in the DHCP lease time configuration parameter (dhcp.leaseTime). It enables an authenticated attacker to inject arbitrary dnsmasq configuration directives by exploiting newline characters, resulting in command execution on the underlying system. The vulnerability is associated with CWE-78 (OS Command Injection) and CWE-93 (Improper Neutralization of CRLF Sequences), and carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).

An authenticated attacker with low privileges can exploit this vulnerability remotely over the network with low complexity and no user interaction required. By manipulating the dhcp.leaseTime parameter through the FTL API, the attacker injects malicious dnsmasq directives separated by newlines, which the engine processes and executes as system commands. Successful exploitation grants high confidentiality, integrity, and availability impacts, potentially allowing full compromise of the host system running Pi-hole.

The official advisory on GitHub (GHSA-fqv2-qhfh-ghcj) confirms the vulnerability is fixed in Pi-hole FTL version 6.6, recommending immediate upgrades for affected installations. No additional mitigations are detailed beyond patching, emphasizing the need for authentication controls on the FTL API in the interim.

Details

CWE(s)
CWE-78CWE-93

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
attack.mitre.org →
T1059.004 Unix Shell Execution
Adversaries may abuse Unix shell commands and scripts for execution.
attack.mitre.org →
Why these techniques?

The vulnerability enables remote code execution via OS command injection (T1059.004) through a web interface API parameter in Pi-hole FTL, exploitable as a public-facing application weakness (T1190) by low-privileged authenticated users, facilitating privilege escalation to system takeover (T1068).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References