Cyber Resilience

CVE-2026-35520

HighRCE

Published: 07 April 2026

Published
07 April 2026
Modified
09 April 2026
KEV Added
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0070 48.4th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-35520 is a high-severity OS Command Injection (CWE-78) vulnerability. Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 48.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-35520 is a remote code execution (RCE) vulnerability in the Pi-hole FTL engine, also known as FTLDNS, which provides an interactive API and generates statistics for Pi-hole's web interface. Affecting versions from 6.0 up to but not including 6.6, the flaw resides in the DHCP lease time configuration parameter (dhcp.leaseTime). It enables an authenticated attacker to inject arbitrary dnsmasq configuration directives by exploiting newline characters, resulting in command execution on the underlying system. The vulnerability is associated with CWE-78 (OS Command Injection) and CWE-93 (Improper Neutralization of CRLF Sequences), and carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).

An authenticated attacker with low privileges can exploit this vulnerability remotely over the network with low complexity and no user interaction required. By manipulating the dhcp.leaseTime parameter through the FTL API, the attacker injects malicious dnsmasq directives separated by newlines, which the engine processes and executes as system commands. Successful exploitation grants high confidentiality, integrity, and availability impacts, potentially allowing full compromise of the host system running Pi-hole.

The official advisory on GitHub (GHSA-fqv2-qhfh-ghcj) confirms the vulnerability is fixed in Pi-hole FTL version 6.6, recommending immediate upgrades for affected installations. No additional mitigations are detailed beyond patching, emphasizing the need for authentication controls on the FTL API in the interim.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

FTLDNS (pihole-FTL) provides an interactive API and also generates statistics for Pi-hole's Web interface. From 6.0 to before 6.6, the Pi-hole FTL engine contains a Remote Code Execution (RCE) vulnerability in the DHCP lease time configuration parameter (dhcp.leaseTime). This vulnerability…

more

allows an authenticated attacker to inject arbitrary dnsmasq configuration directives through newline characters, ultimately achieving command execution on the underlying system. This vulnerability is fixed in 6.6.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
T1059.004 Unix Shell Execution
Adversaries may abuse Unix shell commands and scripts for execution.
Why these techniques?

The vulnerability enables remote code execution via OS command injection (T1059.004) through a web interface API parameter in Pi-hole FTL, exploitable as a public-facing application weakness (T1190) by low-privileged authenticated users, facilitating privilege escalation to system takeover (T1068).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-35519Shared CWE-78, CWE-93
CVE-2026-35517Shared CWE-78, CWE-93
CVE-2026-35521Shared CWE-78, CWE-93
CVE-2026-27635Shared CWE-78
CVE-2025-56077Shared CWE-78
CVE-2026-28773Shared CWE-78
CVE-2025-56102Shared CWE-78
CVE-2021-47816Shared CWE-78
CVE-2026-24841Shared CWE-78
CVE-2026-26943Shared CWE-78

Affected Assets

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Timely flaw remediation through patching to Pi-hole FTL version 6.6 directly eliminates the RCE vulnerability in the dhcp.leaseTime parameter processing.

prevent

Information input validation at the FTL API enforces sanitization of the dhcp.leaseTime parameter to block newline injections and malicious dnsmasq directives.

prevent

Least privilege restricts low-privilege authenticated users from accessing or modifying the vulnerable dhcp.leaseTime configuration parameter via the API.

References