Lucene search
K

33 matches found

CVE
CVE
added 2026/06/10 10:11 p.m.18 views

CVE-2026-44693

Pi-hole FTL contains a race condition in the HTTP session management subsystem (global session buffer) introduced with the v6.0 CivetWeb rewrite, allowing unauthenticated session hijacking. It affects versions prior to 6.6.1 and is patched in 6.6.1. CVSS v3.1 is 8.8 (Network, Privileges None, Use...

8.8CVSS5.4AI score0.0023EPSS
Exploits0References2
EUVD
EUVD
added 2026/06/10 10:11 p.m.12 views

EUVD-2026-36194

Pi-hole FTL is the core engine of the Pi-hole network-level advertisement and tracker blocker. Prior to version 6.6.1, Pi-hole FTL contains a race condition vulnerability in the HTTP session management subsystem, introduced with the v6.0 rewrite of the embedded CivetWeb-based web server. This iss...

8.8CVSS5.4AI score0.0023EPSS
Exploits0References2
Vulnrichment
Vulnrichment
added 2026/06/10 10:11 p.m.7 views

CVE-2026-44693 Pi-hole FTL: Unauthenticated Session Hijacking via Race Condition on Global Session Buffer

Pi-hole FTL is the core engine of the Pi-hole network-level advertisement and tracker blocker. Prior to version 6.6.1, Pi-hole FTL contains a race condition vulnerability in the HTTP session management subsystem, introduced with the v6.0 rewrite of the embedded CivetWeb-based web server. This iss...

8.8CVSS5.4AI score0.0023EPSS
Exploits0References2
Positive Technologies
Positive Technologies
added 2026/06/10 12:0 a.m.18 views

PT-2026-48561

Name of the Vulnerable Software and Affected Versions Pi-hole FTL versions prior to 6.6.1 Description A race condition exists in the HTTP session management subsystem of the embedded CivetWeb-based web server. This issue was introduced during the v6.0 rewrite of the server engine. Recommendations...

8.8CVSS5.2AI score0.0023EPSS
Exploits0References5
RedhatCVE
RedhatCVE
added 2026/06/05 7:10 p.m.11 views

CVE-2026-35517

FTLDNS pihole-FTL provides an interactive API and also generates statistics for Pi-hole's Web interface. From 6.0 to before 6.6, the Pi-hole FTL engine contains a Remote Code Execution RCE vulnerability in the upstream DNS servers configuration parameter dns.upstreams. This vulnerability allows a...

8.8CVSS6AI score0.00859EPSS
Exploits2References1
RedhatCVE
RedhatCVE
added 2026/06/05 7:10 p.m.11 views

CVE-2026-35521

FTLDNS pihole-FTL provides an interactive API and also generates statistics for Pi-hole's Web interface. From 6.0 to before 6.6, the Pi-hole FTL engine contains a Remote Code Execution RCE vulnerability in the DHCP hosts configuration parameter dhcp.hosts. This vulnerability allows an authenticat...

8.8CVSS6AI score0.00686EPSS
Exploits1References1
Vulnrichment
Vulnrichment
added 2026/05/05 8:50 p.m.7 views

CVE-2026-39849 Pi-hole FTL remote code execution via newline injection in dns.interface configuration

Pi-hole FTL is the core engine of the Pi-hole network-level advertisement and tracker blocker. In versions before 6.6.1, the dns.interface configuration field in Pi-hole FTL accepted newline characters without validation, allowing an attacker to inject arbitrary directives into the generated...

8.7CVSS6.1AI score0.00956EPSS
Exploits1References3
EUVD
EUVD
added 2026/05/05 8:50 p.m.19 views

EUVD-2026-27498

Pi-hole FTL is the core engine of the Pi-hole network-level advertisement and tracker blocker. In versions before 6.6.1, the dns.interface configuration field in Pi-hole FTL accepted newline characters without validation, allowing an attacker to inject arbitrary directives into the generated...

8.7CVSS6.1AI score0.00956EPSS
Exploits1References3
Cvelist
Cvelist
added 2026/05/05 8:50 p.m.41 views

CVE-2026-39849 Pi-hole FTL remote code execution via newline injection in dns.interface configuration

Pi-hole FTL is the core engine of the Pi-hole network-level advertisement and tracker blocker. In versions before 6.6.1, the dns.interface configuration field in Pi-hole FTL accepted newline characters without validation, allowing an attacker to inject arbitrary directives into the generated...

8.7CVSS0.00956EPSS
Exploits1References3
RedhatCVE
RedhatCVE
added 2026/04/09 7:23 p.m.2 views

CVE-2026-35520

FTLDNS pihole-FTL provides an interactive API and also generates statistics for Pi-hole's Web interface. From 6.0 to before 6.6, the Pi-hole FTL engine contains a Remote Code Execution RCE vulnerability in the DHCP lease time configuration parameter dhcp.leaseTime. This vulnerability allows an...

8.8CVSS6.2AI score0.00701EPSS
Exploits1References1
NVD
NVD
added 2026/04/07 4:16 p.m.10 views

CVE-2026-35521

FTLDNS pihole-FTL provides an interactive API and also generates statistics for Pi-hole's Web interface. From 6.0 to before 6.6, the Pi-hole FTL engine contains a Remote Code Execution RCE vulnerability in the DHCP hosts configuration parameter dhcp.hosts. This vulnerability allows an authenticat...

8.8CVSS0.00686EPSS
Exploits1References1
NVD
NVD
added 2026/04/07 4:16 p.m.6 views

CVE-2026-35520

FTLDNS pihole-FTL provides an interactive API and also generates statistics for Pi-hole's Web interface. From 6.0 to before 6.6, the Pi-hole FTL engine contains a Remote Code Execution RCE vulnerability in the DHCP lease time configuration parameter dhcp.leaseTime. This vulnerability allows an...

8.8CVSS0.00701EPSS
Exploits1References1
NVD
NVD
added 2026/04/07 4:16 p.m.2 views

CVE-2026-35518

FTLDNS pihole-FTL provides an interactive API and also generates statistics for Pi-hole's Web interface. From 6.0 to before 6.6, the Pi-hole FTL engine contains a Remote Code Execution RCE vulnerability in the DNS CNAME records configuration parameter dns.cnameRecords. This vulnerability allows a...

8.8CVSS0.00686EPSS
Exploits1References1
NVD
NVD
added 2026/04/07 4:16 p.m.3 views

CVE-2026-35491

FTLDNS pihole-FTL provides an interactive API and also generates statistics for Pi-hole's Web interface. From 6.0 to before 6.6, Pi-hole FTL supports a CLI password feature webserver.api.clipw that creates “CLI” API sessions intended to be read-only for configuration changes. While /api/config...

6.1CVSS0.00156EPSS
Exploits1References1
CVE
CVE
added 2026/04/07 3:20 p.m.15 views

CVE-2026-35521

CVE-2026-35521 impact (Pi-hole FTL/FTLDNS). From 6.0 up to but not including 6.6, Pi-hole’s FTL engine contained a Remote Code Execution (RCE) vulnerability in the DHCP hosts configuration parameter (dhcp.hosts). An authenticated attacker could inject arbitrary dnsmasq configuration directives by...

8.8CVSS6.2AI score0.00686EPSS
Exploits1References1Affected Software1
EUVD
EUVD
added 2026/04/07 3:20 p.m.6 views

EUVD-2026-19715

FTLDNS pihole-FTL provides an interactive API and also generates statistics for Pi-hole's Web interface. From 6.0 to before 6.6, the Pi-hole FTL engine contains a Remote Code Execution RCE vulnerability in the DHCP hosts configuration parameter dhcp.hosts. This vulnerability allows an authenticat...

8.8CVSS6.2AI score0.00686EPSS
Exploits1References1
Cvelist
Cvelist
added 2026/04/07 3:20 p.m.22 views

CVE-2026-35521 Pi-hole FTL affected by Remote Code Execution (RCE) via dhcp.hosts Newline Injection

FTLDNS pihole-FTL provides an interactive API and also generates statistics for Pi-hole's Web interface. From 6.0 to before 6.6, the Pi-hole FTL engine contains a Remote Code Execution RCE vulnerability in the DHCP hosts configuration parameter dhcp.hosts. This vulnerability allows an authenticat...

8.8CVSS0.00686EPSS
Exploits1References1
ATTACKERKB
ATTACKERKB
added 2026/04/07 3:19 p.m.2 views

CVE-2026-35520

FTLDNS pihole-FTL provides an interactive API and also generates statistics for Pi-hole's Web interface. From 6.0 to before 6.6, the Pi-hole FTL engine contains a Remote Code Execution RCE vulnerability in the DHCP lease time configuration parameter dhcp.leaseTime. This vulnerability allows an...

8.8CVSS6.2AI score0.00701EPSS
Exploits1References2Affected Software1
CVE
CVE
added 2026/04/07 3:19 p.m.18 views

CVE-2026-35520

Pi-hole FTLDNS (pihole-FTL) versions 6.0 through

8.8CVSS6.2AI score0.00701EPSS
Exploits1References1Affected Software1
CVE
CVE
added 2026/04/07 3:18 p.m.9 views

CVE-2026-35519

CVE-2026-35519 affects Pi-hole FTL (FTLDNS). From 6.0 up to before 6.6, an authenticated attacker could inject arbitrary dnsmasq directives into the dns.hostRecord parameter via newline characters, leading to remote code execution on the host. The vulnerability is fixed in version 6.6. Exploitati...

8.8CVSS6.2AI score0.00537EPSS
Exploits0References1Affected Software1
Rows per page
Query Builder