CVE-2026-35517
Published: 07 April 2026
Summary
CVE-2026-35517 is a high-severity OS Command Injection (CWE-78) vulnerability. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 31.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly mitigates the RCE vulnerability by requiring timely installation of the fix in Pi-hole FTL version 6.6.
Prevents exploitation by validating and sanitizing the dns.upstreams input parameter to block newline injection and arbitrary dnsmasq directives.
Limits the attack surface by restricting and documenting authorized changes to critical configuration settings like dns.upstreams.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
RCE via authenticated remote command injection in Pi-hole FTL API enables exploitation of public-facing web application (T1190), remote services (T1210), privilege escalation (T1068), and Unix shell execution (T1059.004).
NVD Description
FTLDNS (pihole-FTL) provides an interactive API and also generates statistics for Pi-hole's Web interface. From 6.0 to before 6.6, the Pi-hole FTL engine contains a Remote Code Execution (RCE) vulnerability in the upstream DNS servers configuration parameter (dns.upstreams). This vulnerability…
more
allows an authenticated attacker to inject arbitrary dnsmasq configuration directives through newline characters, ultimately achieving command execution on the underlying system. This vulnerability is fixed in 6.6.
Deeper analysisAI
CVE-2026-35517 is a remote code execution (RCE) vulnerability in the Pi-hole FTL engine, also known as FTLDNS, which provides an interactive API and generates statistics for Pi-hole's web interface. Affecting versions from 6.0 up to but not including 6.6, the flaw resides in the upstream DNS servers configuration parameter (dns.upstreams). It enables injection of arbitrary dnsmasq configuration directives via newline characters, leading to command execution on the underlying system. The vulnerability is associated with CWE-78 (OS Command Injection) and CWE-93 (Improper Neutralization of CRLF Sequences), and carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).
An authenticated attacker with low privileges (PR:L) can exploit this vulnerability remotely over the network with low complexity and no user interaction required. By crafting a malicious payload in the dns.upstreams parameter, the attacker injects dnsmasq directives that execute arbitrary commands on the host system, potentially granting full control including high confidentiality, integrity, and availability impacts.
The official advisory on GitHub (GHSA-23w8-7333-p9fj) confirms the issue is resolved in Pi-hole FTL version 6.6, recommending immediate upgrades to mitigate the risk. No additional workarounds are specified in the provided details.
Details
- CWE(s)