{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-35518", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-04-03T02:15:39.280Z", "datePublished": "2026-04-07T15:17:39.977Z", "dateUpdated": "2026-04-08T14:55:05.699Z"}, "containers": {"cna": {"title": "Pi-hole FTL affected by Remote Code Execution (RCE) via dns.cnameRecords Newline Injection", "problemTypes": [{"descriptions": [{"cweId": "CWE-78", "lang": "en", "description": "CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-93", "lang": "en", "description": "CWE-93: Improper Neutralization of CRLF Sequences ('CRLF Injection')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/pi-hole/FTL/security/advisories/GHSA-28g5-gg88-wh5m", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/pi-hole/FTL/security/advisories/GHSA-28g5-gg88-wh5m"}], "affected": [{"vendor": "pi-hole", "product": "FTL", "versions": [{"version": ">= 6.0, < 6.6", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-07T15:17:39.977Z"}, "descriptions": [{"lang": "en", "value": "FTLDNS (pihole-FTL) provides an interactive API and also generates statistics for Pi-hole's Web interface. From 6.0 to before 6.6, the Pi-hole FTL engine contains a Remote Code Execution (RCE) vulnerability in the DNS CNAME records configuration parameter (dns.cnameRecords). This vulnerability allows an authenticated attacker to inject arbitrary dnsmasq configuration directives through newline characters, ultimately achieving command execution on the underlying system. This vulnerability is fixed in 6.6."}], "source": {"advisory": "GHSA-28g5-gg88-wh5m", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-08T14:54:51.921500Z", "id": "CVE-2026-35518", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-08T14:55:05.699Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"cna": {"title": "Pi-hole FTL affected by Remote Code Execution (RCE) via dns.cnameRecords Newline Injection", "source": {"advisory": "GHSA-28g5-gg88-wh5m", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.8, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "pi-hole", "product": "FTL", "versions": [{"status": "affected", "version": ">= 6.0, < 6.6"}]}], "references": [{"url": "https://github.com/pi-hole/FTL/security/advisories/GHSA-28g5-gg88-wh5m", "name": "https://github.com/pi-hole/FTL/security/advisories/GHSA-28g5-gg88-wh5m", "tags": ["x_refsource_CONFIRM"]}], "descriptions": [{"lang": "en", "value": "FTLDNS (pihole-FTL) provides an interactive API and also generates statistics for Pi-hole's Web interface. From 6.0 to before 6.6, the Pi-hole FTL engine contains a Remote Code Execution (RCE) vulnerability in the DNS CNAME records configuration parameter (dns.cnameRecords). This vulnerability allows an authenticated attacker to inject arbitrary dnsmasq configuration directives through newline characters, ultimately achieving command execution on the underlying system. This vulnerability is fixed in 6.6."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-78", "description": "CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-93", "description": "CWE-93: Improper Neutralization of CRLF Sequences ('CRLF Injection')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-07T15:17:39.977Z"}}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-35518", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-04-08T14:54:51.921500Z"}}}], "providerMetadata": {"shortName": "CISA-ADP", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "dateUpdated": "2026-04-08T14:54:56.798Z"}}]}, "cveMetadata": {"cveId": "CVE-2026-35518", "state": "PUBLISHED", "dateUpdated": "2026-04-07T15:17:39.977Z", "dateReserved": "2026-04-03T02:15:39.280Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-04-07T15:17:39.977Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "FTLDNS (pihole-FTL) provides an interactive API and also generates statistics for Pi-hole's Web interface. From 6.0 to before 6.6, the Pi-hole FTL engine contains a Remote Code Execution (RCE) vulnerability in the DNS CNAME records configuration parameter (dns.cnameRecords). This vulnerability allows an authenticated attacker to inject arbitrary dnsmasq configuration directives through newline characters, ultimately achieving command execution on the underlying system. This vulnerability is fixed in 6.6."}], "id": "CVE-2026-35518", "lastModified": "2026-04-08T21:27:00.663", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-04-07T16:16:28.243", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/pi-hole/FTL/security/advisories/GHSA-28g5-gg88-wh5m"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-78"}, {"lang": "en", "value": "CWE-93"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-07T22:48:40.958982+00:00", "value": {"mitigation_remediation": ["Upgrade Pi\u2011hole FTL to version 6.6 or newer.", "Verify the FTL version after the upgrade.", "Restrict API access to trusted administrators to reduce the attack surface.", "Monitor logs for unexpected API activity."], "summary": {"action": "Immediate Patch", "impact": "Remote Code Execution"}, "threat_synthesis": {"affected_systems": "The issue affects Pi\u2011hole FTL versions 6.0 through any release before 6.6. The vulnerability is limited to the FTL engine and does not impact other components of Pi\u2011hole. Updating to FTL 6.6 or later removes the flaw.", "description_and_impact": "The flaw resides in the DNS CNAME records configuration parameter (dns.cnameRecords). An attacker who is authenticated to the Pi\u2011hole FTL API can inject newline characters into this setting, causing arbitrary dnsmasq configuration directives to be written. This leads to command execution on the host operating system, representing a full remote code\u2011execution vulnerability.", "risk_and_exploitability": "The problem scores an 8.8 on CVSS, indicating high severity, while the EPSS score is unavailable. It is not listed in the CISA KEV catalog, suggesting no known public exploitation yet. The vulnerability can only be triggered by an authenticated user of the FTL API, but once authenticated, the attacker can execute arbitrary system commands via the injected configuration."}}}}, "created": "2026-04-08T19:48:23.058574+00:00", "updated": "2026-04-08T19:48:23.058624+00:00", "vendors": []}