Ftldns Security Vulnerabilities and Issues — Ftldns CVE List

Pi-holeFtldns

8 matches found

CVE•added 2021/04/15 3:25 p.m.•86 views

CVE-2021-29448

Pi-hole exposes a Stored XSS vulnerability in the Admin portal (Web Interface) of Pi-hole, described across multiple sources. The issue is a stored DOM/XSS flaw in the AdminLTE-based interface that can be triggered by an attacker with network access to the DNS server. Affected is Pi-hole’s admin/...

8.8CVSS7.9AI score0.00303EPSS

CVE•added 2026/04/07 3:19 p.m.•8 views

CVE-2026-35520

Pi-hole FTLDNS (pihole-FTL) versions 6.0 through

8.8CVSS6.2AI score0.0048EPSS

CVE•added 2026/04/07 3:17 p.m.•5 views

CVE-2026-35518

Pi-hole FTL (FTLDNS) from 6.0 up to before 6.6 is vulnerable to Remote Code Execution via newline injection in the DNS CNAME records configuration parameter (dns.cnameRecords). An authenticated attacker can inject arbitrary dnsmasq directives, enabling command execution on the host. The issue is ...

8.8CVSS6.2AI score0.0048EPSS

CVE•added 2026/04/07 3:20 p.m.•5 views

CVE-2026-35521

CVE-2026-35521 impact (Pi-hole FTL/FTLDNS). From 6.0 up to but not including 6.6, Pi-hole’s FTL engine contained a Remote Code Execution (RCE) vulnerability in the DHCP hosts configuration parameter (dhcp.hosts). An authenticated attacker could inject arbitrary dnsmasq configuration directives by...

8.8CVSS6.2AI score0.0048EPSS

CVE•added 2026/04/07 3:16 p.m.•3 views

CVE-2026-35517

Pi-hole FTL (FTLDNS) contains a Remote Code Execution flaw from 6.0 up to before 6.6 in the upstream DNS servers configuration (dns.upstreams). An authenticated attacker can inject arbitrary dnsmasq directives via newline characters, leading to command execution on the host. The issue is fixed in...

8.8CVSS6.2AI score0.00127EPSS

Web

CVE•added 2026/05/05 8:50 p.m.•3 views

CVE-2026-39849

Pi-hole FTL before version 6.6.1 is vulnerable to a newline-injection in the dns.interface configuration field. The field accepts newlines without validation, allowing a network-adjacent attacker to inject arbitrary directives into the generated dnsmasq configuration. On systems with no admin pas...

8.8CVSS6.1AI score0.00087EPSS

CVE•added 2026/04/07 3:0 p.m.•2 views

CVE-2026-35491

Pi-hole FTL (FTLDNS) from 6.0 to before 6.6 exposes a vulnerability where CLI API sessions (webserver.api.cli_pw) could import Teleporter archives via the /api/teleporter endpoint and overwrite configuration, despite /api/config blocking CLI sessions. This creates an authorization bypass that let...

6.1CVSS5.9AI score0.00016EPSS

Web

CVE•added 2026/04/07 3:18 p.m.•2 views

CVE-2026-35519

CVE-2026-35519 affects Pi-hole FTL (FTLDNS). From 6.0 up to before 6.6, an authenticated attacker could inject arbitrary dnsmasq directives into the dns.hostRecord parameter via newline characters, leading to remote code execution on the host. The vulnerability is fixed in version 6.6. Exploitati...

8.8CVSS6.2AI score0.00262EPSS