CVE Search Engine - Security Vulnerabilities and Exploits Search Tool

Vulnrichment•added 2026/06/10 10:11 p.m.•7 views

CVE-2026-44693 Pi-hole FTL: Unauthenticated Session Hijacking via Race Condition on Global Session Buffer

8.8CVSS5.4AI score0.0023EPSS

CVE•added 2026/06/10 10:11 p.m.•15 views

CVE-2026-44693

Pi-hole FTL contains a race condition in the HTTP session management subsystem (global session buffer) introduced with the v6.0 CivetWeb rewrite, allowing unauthenticated session hijacking. It affects versions prior to 6.6.1 and is patched in 6.6.1. CVSS v3.1 is 8.8 (Network, Privileges None, Use...

8.8CVSS5.4AI score0.0023EPSS

Positive Technologies•added 2026/06/10 12:0 a.m.•12 views

PT-2026-48561

Name of the Vulnerable Software and Affected Versions Pi-hole FTL versions prior to 6.6.1 Description A race condition exists in the HTTP session management subsystem of the embedded CivetWeb-based web server. This issue was introduced during the v6.0 rewrite of the server engine. Recommendations...

8.8CVSS5.2AI score0.0023EPSS

Exploits0References5

RedhatCVE•added 2026/06/05 7:49 p.m.•8 views

CVE-2026-29207

Improper Neutralization of Special Elements Used in a Template Engine vulnerability in Apache OFBiz. This issue affects Apache OFBiz: before 24.09.06. Users are recommended to upgrade to version 24.09.06, which fixes the issue. Please note that in the updated version, "Data Resource" records with...

6.5CVSS5.3AI score0.00541EPSS

RedhatCVE•added 2026/06/05 7:10 p.m.•11 views

CVE-2026-35517

FTLDNS pihole-FTL provides an interactive API and also generates statistics for Pi-hole's Web interface. From 6.0 to before 6.6, the Pi-hole FTL engine contains a Remote Code Execution RCE vulnerability in the upstream DNS servers configuration parameter dns.upstreams. This vulnerability allows a...

8.8CVSS6AI score0.00859EPSS

Exploits2References1

RedhatCVE•added 2026/06/05 7:10 p.m.•11 views

CVE-2026-35521

FTLDNS pihole-FTL provides an interactive API and also generates statistics for Pi-hole's Web interface. From 6.0 to before 6.6, the Pi-hole FTL engine contains a Remote Code Execution RCE vulnerability in the DHCP hosts configuration parameter dhcp.hosts. This vulnerability allows an authenticat...

8.8CVSS6AI score0.00686EPSS

NVD•added 2026/05/19 10:16 a.m.•17 views

CVE-2026-29207

6.5CVSS0.00541EPSS

Vulnrichment•added 2026/05/19 9:18 a.m.•6 views

CVE-2026-29207 Apache OFBiz: Low-Privilege SSTI Leading to RCE in the Content Component

5.7AI score0.00541EPSS

EUVD•added 2026/05/19 9:18 a.m.•9 views

EUVD-2026-30855

6.5CVSS5.7AI score0.00541EPSS

Positive Technologies•added 2026/05/19 12:0 a.m.•11 views

PT-2026-41844

5.7AI score0.00541EPSS

Cvelist•added 2026/05/11 8:21 p.m.•37 views

CVE-2026-41489 Pi-hole: Local privilege escalation via config-controlled path in root-executed service hooks

Pi-hole is a DNS sinkhole that protects devices from unwanted content without installing any client-side software. From 6.0 to before Core 6.4.2 and FTL 6.6.1, two shell scripts executed as root by systemd pihole-FTL-prestart.sh and pihole-FTL-poststop.sh read the files.pid path from this config...

8.8CVSS0.00132EPSS

Positive Technologies•added 2026/05/11 12:0 a.m.•16 views

PT-2026-39836

8.8CVSS5.9AI score0.00132EPSS

Vulnrichment•added 2026/05/05 8:50 p.m.•6 views

CVE-2026-39849 Pi-hole FTL remote code execution via newline injection in dns.interface configuration

Pi-hole FTL is the core engine of the Pi-hole network-level advertisement and tracker blocker. In versions before 6.6.1, the dns.interface configuration field in Pi-hole FTL accepted newline characters without validation, allowing an attacker to inject arbitrary directives into the generated...

8.7CVSS6.1AI score0.00956EPSS

Exploits1References3

EUVD•added 2026/05/05 8:50 p.m.•17 views

EUVD-2026-27498

8.7CVSS6.1AI score0.00956EPSS

Exploits1References3

Cvelist•added 2026/05/05 8:50 p.m.•34 views

CVE-2026-39849 Pi-hole FTL remote code execution via newline injection in dns.interface configuration

8.7CVSS0.00956EPSS

Exploits1References3

AstraLinux•added 2026/05/03 11:59 p.m.•4 views

Astra Linux – Vulnerabilities in Linux, Linux-5.10, Linux-5.15, Linux-6.1

In the Linux kernel, the following vulnerability has been resolved: mtd: Fixed a NULL pointer dereferencing issue caused by the ftl notifier. If both ftl.ko and gluebi.ko are loaded, the ftl notifier triggers a NULL pointer dereferencing when attempting to access ‘gluebi-desc’ in gluebiread. In t...

5.5CVSS5.5AI score0.00242EPSS

RedhatCVE•added 2026/04/09 7:23 p.m.•2 views

CVE-2026-35520

FTLDNS pihole-FTL provides an interactive API and also generates statistics for Pi-hole's Web interface. From 6.0 to before 6.6, the Pi-hole FTL engine contains a Remote Code Execution RCE vulnerability in the DHCP lease time configuration parameter dhcp.leaseTime. This vulnerability allows an...

8.8CVSS6.2AI score0.00701EPSS

NVD•added 2026/04/07 4:16 p.m.•8 views

CVE-2026-35521

FTLDNS pihole-FTL provides an interactive API and also generates statistics for Pi-hole's Web interface. From 6.0 to before 6.6, the Pi-hole FTL engine contains a Remote Code Execution RCE vulnerability in the DHCP hosts configuration parameter dhcp.hosts. This vulnerability allows an authenticat...

8.8CVSS0.00686EPSS

NVD•added 2026/04/07 4:16 p.m.•1 views

CVE-2026-35518

FTLDNS pihole-FTL provides an interactive API and also generates statistics for Pi-hole's Web interface. From 6.0 to before 6.6, the Pi-hole FTL engine contains a Remote Code Execution RCE vulnerability in the DNS CNAME records configuration parameter dns.cnameRecords. This vulnerability allows a...

8.8CVSS0.00686EPSS