{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-35517", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-04-03T02:15:39.280Z", "datePublished": "2026-04-07T15:16:02.955Z", "dateUpdated": "2026-04-07T18:19:50.497Z"}, "containers": {"cna": {"title": "Pi-hole FTL affected by Remote Code Execution (RCE) via dns.upstreams Newline Injection", "problemTypes": [{"descriptions": [{"cweId": "CWE-78", "lang": "en", "description": "CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-93", "lang": "en", "description": "CWE-93: Improper Neutralization of CRLF Sequences ('CRLF Injection')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/pi-hole/FTL/security/advisories/GHSA-23w8-7333-p9fj", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/pi-hole/FTL/security/advisories/GHSA-23w8-7333-p9fj"}], "affected": [{"vendor": "pi-hole", "product": "FTL", "versions": [{"version": ">= 6.0, < 6.6", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-07T15:16:02.955Z"}, "descriptions": [{"lang": "en", "value": "FTLDNS (pihole-FTL) provides an interactive API and also generates statistics for Pi-hole's Web interface. From 6.0 to before 6.6, the Pi-hole FTL engine contains a Remote Code Execution (RCE) vulnerability in the upstream DNS servers configuration parameter (dns.upstreams). This vulnerability allows an authenticated attacker to inject arbitrary dnsmasq configuration directives through newline characters, ultimately achieving command execution on the underlying system. This vulnerability is fixed in 6.6."}], "source": {"advisory": "GHSA-23w8-7333-p9fj", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-07T18:19:40.630593Z", "id": "CVE-2026-35517", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-07T18:19:50.497Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-35517", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-04-07T18:19:40.630593Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-07T18:19:46.559Z"}}], "cna": {"title": "Pi-hole FTL affected by Remote Code Execution (RCE) via dns.upstreams Newline Injection", "source": {"advisory": "GHSA-23w8-7333-p9fj", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.8, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "pi-hole", "product": "FTL", "versions": [{"status": "affected", "version": ">= 6.0, < 6.6"}]}], "references": [{"url": "https://github.com/pi-hole/FTL/security/advisories/GHSA-23w8-7333-p9fj", "name": "https://github.com/pi-hole/FTL/security/advisories/GHSA-23w8-7333-p9fj", "tags": ["x_refsource_CONFIRM"]}], "descriptions": [{"lang": "en", "value": "FTLDNS (pihole-FTL) provides an interactive API and also generates statistics for Pi-hole's Web interface. From 6.0 to before 6.6, the Pi-hole FTL engine contains a Remote Code Execution (RCE) vulnerability in the upstream DNS servers configuration parameter (dns.upstreams). This vulnerability allows an authenticated attacker to inject arbitrary dnsmasq configuration directives through newline characters, ultimately achieving command execution on the underlying system. This vulnerability is fixed in 6.6."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-78", "description": "CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-93", "description": "CWE-93: Improper Neutralization of CRLF Sequences ('CRLF Injection')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-07T15:16:02.955Z"}}}, "cveMetadata": {"cveId": "CVE-2026-35517", "state": "PUBLISHED", "dateUpdated": "2026-04-07T18:19:50.497Z", "dateReserved": "2026-04-03T02:15:39.280Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-04-07T15:16:02.955Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:pi-hole:ftldns:*:*:*:*:*:*:*:*", "matchCriteriaId": "8C927FF0-74A4-4F13-95A8-E80C5E80F607", "versionEndIncluding": "6.5", "versionStartIncluding": "6.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "FTLDNS (pihole-FTL) provides an interactive API and also generates statistics for Pi-hole's Web interface. From 6.0 to before 6.6, the Pi-hole FTL engine contains a Remote Code Execution (RCE) vulnerability in the upstream DNS servers configuration parameter (dns.upstreams). This vulnerability allows an authenticated attacker to inject arbitrary dnsmasq configuration directives through newline characters, ultimately achieving command execution on the underlying system. This vulnerability is fixed in 6.6."}], "id": "CVE-2026-35517", "lastModified": "2026-04-28T20:36:11.187", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-04-07T16:16:28.093", "references": [{"source": "security-advisories@github.com", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/pi-hole/FTL/security/advisories/GHSA-23w8-7333-p9fj"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-78"}, {"lang": "en", "value": "CWE-93"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[6.0,6.6)"}}], "enrichment": {"confidence": 88.0, "confidence_source": "matching", "scores": [{"score": 88.0, "source": "matching"}]}, "original": {"product": "FTL", "source": "cna", "vendor": "pi-hole"}, "product": "ftldns", "vendor": "pi-hole"}], "analysis": {"en": {"generated_at": "2026-04-07T22:48:56.990479+00:00", "value": {"mitigation_remediation": ["Upgrade pi\u2011hole FTL to version 6.6 or later"], "summary": {"action": "Immediate Patch", "impact": "Remote Code Execution"}, "threat_synthesis": {"affected_systems": "Versions of pi\u2011hole FTL from 6.0 up to, but not including, 6.6 are affected. The vulnerability was addressed in release 6.6, so any installation that is still on an earlier version remains vulnerable.", "description_and_impact": "FTLDNS, the DNS engine that powers Pi\u2011hole, has a flaw in how it processes the dns.upstreams configuration setting. An attacker who can authenticate to the Pi\u2011hole API or configuration interface can inject newline characters into this parameter. The engine then appends arbitrary dnsmasq configuration directives to its internal file, and because dnsmasq executes those directives the attacker can run shell commands on the host system, effectively taking control of the machine hosting Pi\u2011hole.", "risk_and_exploitability": "The CVSS score of 8.8 places this flaw in the high severity range. No EPSS score is available and the vulnerability does not appear in the CISA Known Exploited Vulnerabilities catalog. The attack requires authenticated access to the Pi\u2011hole configuration, but once the newline injection is performed, the attacker can execute arbitrary commands without further interaction, making the omission easy to leverage against any privileged user."}}}}, "created": "2026-04-08T19:48:24.244435+00:00", "updated": "2026-04-09T08:24:17.879577+00:00", "vendors": ["pi-hole", "pi-hole$PRODUCT$ftldns"]}