CVE-2026-35519
Published: 07 April 2026
Summary
CVE-2026-35519 is a high-severity OS Command Injection (CWE-78) vulnerability. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 49.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
SI-10 directly prevents the injection vulnerability by validating dns.hostRecord inputs against malicious newline characters and dnsmasq directives.
SI-2 mitigates the RCE flaw comprehensively by requiring timely remediation through upgrading Pi-hole FTL to version 6.6 or later.
SI-9 restricts dns.hostRecord inputs to safe formats, such as prohibiting newlines and special characters used for dnsmasq command injection.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
RCE via OS command injection (CWE-78) in remote public-facing Pi-hole FTLDNS API/service (dns.hostRecord parameter), enabling exploitation of public-facing application/remote services, Unix shell execution, and privilege escalation from low-priv authentication to high-impact system command execution.
NVD Description
FTLDNS (pihole-FTL) provides an interactive API and also generates statistics for Pi-hole's Web interface. From 6.0 to before 6.6, the Pi-hole FTL engine contains a Remote Code Execution (RCE) vulnerability in the DNS host record configuration parameter (dns.hostRecord). This vulnerability…
more
allows an authenticated attacker to inject arbitrary dnsmasq configuration directives through newline characters, ultimately achieving command execution on the underlying system. This vulnerability is fixed in 6.6.
Deeper analysisAI
CVE-2026-35519 is a Remote Code Execution (RCE) vulnerability in the Pi-hole FTL engine, also known as FTLDNS (pihole-FTL), which provides an interactive API and generates statistics for Pi-hole's Web interface. The flaw resides in the dns.hostRecord configuration parameter and affects versions from 6.0 up to but not including 6.6. It stems from improper handling of input (CWE-93) that enables injection of arbitrary dnsmasq configuration directives via newline characters (CWE-78), leading to command execution on the underlying system. The vulnerability carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).
An authenticated attacker with low-privilege access (PR:L) can exploit this remotely over the network (AV:N) with low complexity and no user interaction required. By crafting malicious input for the dns.hostRecord parameter through the FTL API or Pi-hole's Web interface, the attacker injects newline-separated dnsmasq directives that execute arbitrary commands on the host system, potentially granting full control including data exfiltration, persistence, or further lateral movement.
The vulnerability is addressed in Pi-hole FTL version 6.6. Security practitioners should upgrade to this version or later. Additional details are available in the GitHub security advisory at https://github.com/pi-hole/FTL/security/advisories/GHSA-wxhv-w77q-6qwp.
Details
- CWE(s)