CVE-2026-39849

Name of the Vulnerable Software and Affected Versions Pi-hole FTL versions prior to 6.6.1

Description The dns.interface configuration field in Pi-hole FTL accepts newline characters without validation, which allows an attacker to inject arbitrary directives into the generated dnsmasq configuration file. On installations where no admin password is set, the configuration API is accessible without credentials. This enables a network-adjacent attacker to inject a payload, enable the built-in DHCP server, and achieve arbitrary command execution on the host when a device on the network requests a DHCP lease. The injected value is persisted to /etc/pihole/pihole.toml and remains after restarts. Although the strncpy function limits the interface field to 31 bytes, payloads such as wlan0 dhcp-script=/tmp/p can still fit. The dnsmasq configuration validation in FTL 6.6 only verifies syntactic validity, allowing valid injected directives to pass.

Recommendations Update to version 6.6.1.