Platform
linux
Component
pi-hole-ftl
Fixed in
6.0.1
CVE-2026-35520 is a Remote Code Execution (RCE) vulnerability discovered in the Pi-hole FTL (FTLDNS) component. This flaw allows an authenticated attacker to inject malicious configuration directives, potentially leading to complete system compromise. The vulnerability affects versions 6.0.0 through 6.5 and has been resolved in version 6.6.0.
The impact of CVE-2026-35520 is significant. Successful exploitation allows an attacker to execute arbitrary commands on the underlying Linux system hosting the Pi-hole instance. This could lead to data theft, system takeover, and potential lateral movement within the network. The ability to inject dnsmasq configuration directives provides a powerful attack vector, bypassing typical security controls. While authentication is required, a compromised user account or weak credentials could provide access to exploit this vulnerability. This is similar to other DNS server configuration vulnerabilities where malicious directives can be injected to manipulate DNS resolution and potentially redirect traffic to attacker-controlled servers.
CVE-2026-35520 was publicly disclosed on 2026-04-07. Currently, there is no indication of active exploitation in the wild. The vulnerability is not listed on the CISA KEV catalog as of this writing. Public proof-of-concept exploits are not yet widely available, but the vulnerability's nature suggests it could be relatively easy to exploit once a PoC is released.
Exploit Status
EPSS
0.23% (45% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2026-35520 is to upgrade Pi-hole FTL to version 6.6.0 or later. If an immediate upgrade is not feasible, consider temporarily restricting access to the DHCP lease time configuration parameter within the Pi-hole web interface. Review user accounts and enforce strong password policies to minimize the risk of unauthorized access. Monitor system logs for unusual activity related to dnsmasq configuration changes. While a WAF is unlikely to directly mitigate this, monitoring for unusual DNS query patterns could provide an early warning sign of exploitation. After upgrading, confirm the fix by verifying the FTL version and attempting to access the DHCP lease time configuration parameter, ensuring it is properly restricted.
Update Pi-hole FTL to version 6.6 or higher to mitigate the remote code execution vulnerability. The update can be performed through the Pi-hole control panel or by manually updating the FTLDNS package.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-35520 is a Remote Code Execution vulnerability in Pi-hole FTL, allowing authenticated attackers to execute commands on the system. It affects versions 6.0.0 through 6.5.
You are affected if you are running Pi-hole FTL versions 6.0.0 through 6.5. Upgrade to 6.6.0 or later to mitigate the risk.
Upgrade Pi-hole FTL to version 6.6.0 or later. Temporarily restrict access to the DHCP lease time configuration parameter as a workaround.
There is currently no evidence of active exploitation in the wild, but the vulnerability's nature suggests it could be exploited once a proof-of-concept is released.
Refer to the official Pi-hole security advisory on their website for detailed information and updates: [https://pi-hole.net/security/](https://pi-hole.net/security/)
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.