CVE-2026-39849
CVE-2026-39849 is a high-severity vulnerability in Pi-hole Ftldns with a CVSS 3.x base score of 8.8. It is not currently listed as actively exploited by CISA, and its EPSS exploit-prediction score is low. The underlying weakness is classified as CWE-93.
Key facts
- Severity: High (CVSS 3.x base score 8.8)
- CVSS v4: 8.7
- EPSS exploit prediction: 1% (57th percentile)
- Actively exploited: Not listed in CISA KEV
- EU (EUVD) id: EUVD-2026-27498
- Weakness: CWE-93
- Affected product: Pi-hole Ftldns
- Published:
- Last modified:
Description
Pi-hole FTL is the core engine of the Pi-hole network-level advertisement and tracker blocker. In versions before 6.6.1, the `dns.interface` configuration field in Pi-hole FTL accepted newline characters without validation, allowing an attacker to inject arbitrary directives into the generated dnsmasq configuration file. On installations with no admin password set (the default for many deployments), the configuration API is fully accessible without credentials, allowing a network-adjacent attacker to inject the payload, enable the built-in DHCP server, and achieve arbitrary command execution on the host the next time any device on the network requests a DHCP lease. The injected value is persisted to /etc/pihole/pihole.toml and survives restarts. The strncpy in the code path limits the total interface field to 31 bytes, but payloads such as wlan0\ndhcp-script=/tmp/p fit within this constraint. The dnsmasq config validation introduced in FTL 6.6 only checks syntactic validity, so valid directives injected via newline pass validation successfully. This issue has been fixed in version 6.6.1.
Frequently asked questions
- What is CVE-2026-39849?
- Pi-hole FTL is the core engine of the Pi-hole network-level advertisement and tracker blocker. In versions before 6.6.1, the `dns.interface` configuration field in Pi-hole FTL accepted newline characters without validation, allowing an attacker to inject arbitrary directives into the generated dnsmasq configuration file. On installations with no admin password set (the default for many deployments), the configuration API is fully accessible without credentials, allowing a network-adjacent attacker to inject the payload, enable the built-in DHCP server, and achieve arbitrary command execution on the host the next time any device on the network requests a DHCP lease. The injected value is persisted to /etc/pihole/pihole.toml and survives restarts. The strncpy in the code path limits the total interface field to 31 bytes, but payloads such as wlan0\ndhcp-script=/tmp/p fit within this constraint. The dnsmasq config validation introduced in FTL 6.6 only checks syntactic validity, so valid directives injected via newline pass validation successfully. This issue has been fixed in version 6.6.1.
- How severe is CVE-2026-39849?
- CVE-2026-39849 has a CVSS 3.x base score of 8.8, rated high severity. It is exploitable over network with low attack complexity, requires low privileges and no user interaction. Impact on confidentiality is high, integrity high, and availability high.
- Is CVE-2026-39849 being actively exploited?
- It is not currently listed in CISA's KEV catalog. Its EPSS exploit-prediction score is 1% (57th percentile), an estimate of the probability of exploitation in the next 30 days.
- What products are affected by CVE-2026-39849?
- CVE-2026-39849 affects Pi-hole Ftldns. See the affected-products list for the exact vulnerable versions.
- How do I fix CVE-2026-39849?
- Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround. Given its high severity, prioritise patching exposed systems.
- Does CVE-2026-39849 have an EU (EUVD) identifier?
- Yes. CVE-2026-39849 is tracked in the ENISA EU Vulnerability Database (EUVD) as EUVD-2026-27498.
- When was CVE-2026-39849 published?
- CVE-2026-39849 was published on 2026-05-05 and last updated on 2026-06-17.
References
- https://github.com/pi-hole/FTL/commit/0c46e4ec7fe57f762fce261625f2cf5d43806e6d
- https://github.com/pi-hole/FTL/releases/tag/v6.6.1
- https://github.com/pi-hole/FTL/security/advisories/GHSA-9cqv-839p-gpq2
Affected products (1)
- cpe:2.3:a:pi-hole:ftldns:6.6:*:*:*:*:*:*:*
More vulnerabilities in Pi-hole Ftldns
- CVE-2026-35521 — High (CVSS 8.8): FTLDNS (pihole-FTL) provides an interactive API and also generates statistics for Pi-hole's Web interface. From 6.0 to…
- CVE-2026-35520 — High (CVSS 8.8): FTLDNS (pihole-FTL) provides an interactive API and also generates statistics for Pi-hole's Web interface. From 6.0 to…
- CVE-2026-35519 — High (CVSS 8.8): FTLDNS (pihole-FTL) provides an interactive API and also generates statistics for Pi-hole's Web interface. From 6.0 to…
- CVE-2026-35518 — High (CVSS 8.8): FTLDNS (pihole-FTL) provides an interactive API and also generates statistics for Pi-hole's Web interface. From 6.0 to…
- CVE-2026-35517 — High (CVSS 8.8): FTLDNS (pihole-FTL) provides an interactive API and also generates statistics for Pi-hole's Web interface. From 6.0 to…
- CVE-2021-29448 — High (CVSS 7.6): Pi-hole is a Linux network-level advertisement and Internet tracker blocking application. The Stored XSS exists in the…
All CVEs affecting Pi-hole Ftldns →
Other CWE-93 (CRLF Injection) vulnerabilities
- CVE-2024-51501 — Critical (CVSS 10.0): Refit is an automatic type-safe REST library for .NET Core, Xamarin and .NET The various header-related Refit…
- CVE-2026-45372 — Critical (CVSS 9.9): cpp-httplib is a C++11 single-file header-only cross platform HTTP/HTTPS library. Prior to 0.44.0, when cpp-httplib's…
- CVE-2026-11362 — Critical (CVSS 9.8): DataDog::DogStatsd versions through 0.07 for Perl allow metric injections from event tags. DataDog::DogStatsd does not…
- CVE-2025-40671 — Critical (CVSS 9.3): SQL injection vulnerability in AES Multimedia's Gestnet v1.07. This vulnerability allows an attacker to retrieve,…
- CVE-2026-11373 — Critical (CVSS 9.1): Net::Statsite::Client versions through 1.1.0 for Perl allow metric injections. Net::Statsite::Client is a client for…
- CVE-2026-50638 — Critical (CVSS 9.1): Metrics::Any::Adapter::DogStatsd versions before 0.04 for Perl does not protect against metric injections. The statsd…