CVE-2026-35517 Pi-hole FTLDNS Remote Code Execution via Newline Injection (CVSS 8.8). Python & Nmap NSE detection scripts with full technical breakdown. A newline character in the dns.upstreams parameter gives authenticated attackers command execution on the host. Five related injection vectors all patched in FTL v6.6.
pi-hole dnsmasq cybersecurity rce vulnerability-detection nmap-scripts pihole remote-code-execution crlf-injection nse-scripts cve-2026-35517 ftldns newline-injection
-
Updated
Apr 14, 2026 - Python