Software-update: Pi-hole Core 6.4.1 / Web 6.5 / FTL 6.6

Versie 6.4.1 van Pi-hole Core is uitgekomen. Ook zijn Pi-hole Web 6.5 en Pi-hole FTL 6.6 verschenen. Pi-hole is een advertising-aware dns- en webserver bedoeld om te draaien op een Raspberry Pi in het netwerk. Als op de router naar Pi-hole wordt verwezen voor dns-afhandelingen, zullen alle apparaten binnen het netwerk er automatisch gebruik van maken zonder dat er instellingen hoeven te worden aangepast. Vervolgens worden advertenties niet meer opgehaald, waardoor pagina's sneller laden. In potentie kan er ook malware mee buiten de deur worden gehouden. Voor meer informatie verwijzen we jullie door naar de uitleg en video's op deze pagina, deze handleiding van tweaker jpgview, of dit topic op ons forum. De releasenotes voor deze uitgave kunnen hieronder worden gevonden.

Pi-hole FTL v6.6, Web v6.5 and Core v6.4.1 Released!

As always, please read through the changelogs before updating with pihole -up

Don’t forget, you can use Teleporter to export your configuration. It can be found under the settings menu of the web interface or on the command line with pihole-FTL --teleporter

This release has also been tagged on Docker as 2026.04.0

Highlights Security

Thank you to andrejtomci for responsibly disclosing multiple web interface vulnerabilities covering a range of XSS and HTML injection attack vectors.

Thank you to smittix for responsibly disclosing a local privilege escalation vulnerability in the Core component, where /etc/pihole/versions could be sourced by root-run Pi-hole scripts, allowing code execution as root in a post-compromise scenario. This has been fixed by replacing the source call with a safe parser that only assigns known keys with validated values.

Thank you to mzalzahrani for responsibly disclosing an authorization bypass in FTL, where CLI API sessions (intended to be read-only) were able to import Teleporter archives via /api/teleporter, bypassing the restrictions correctly enforced on /api/config. This has been fixed by applying the same CLI session check to the Teleporter import endpoint.

Thank you to T0X1Cx for responsibly disclosing a newline injection vulnerability in FTL, where several configuration parameters — including dns.upstreams, dns.hostRecord, dns.cnameRecords, dhcp.leaseTime, and dhcp.hosts — lacked validation against newline characters, allowing an authenticated attacker to inject arbitrary dnsmasq configuration directives. This has been fixed by adding newline validation to the affected config items.

Full details for all advisories can be found at the following links:

• Multiple Stored HTML Injections and XSS in different web interface pages reported by andrejtomci
  • GHSA-jx8x-mj2r-62vq – Stored HTML Injection in queries.js
  • GHSA-9rfm-c5g6-538p – Stored HTML attribute injection
  • GHSA-px6w-85wp-ww9v – Stored XSS / HTML injection in the Network page/Dashboard
  • GHSA-7xqw-r9pr-qv59 – Reflected XSS / HTML injection in taillog.js (Also reported by n1rwhex and mzalzahrani)
• GHSA-c935-8g63-qp74 – Local Privilege Escalation reported by smittix
• GHSA-r7g8-3fj7-m5qq – Authorization bypass: CLI API sessions can import Teleporter archives and modify configuration reported by mzalzahrani
• Remote Code Execution (RCE) via Newline Injection in Multiple Configuration Parameters reported by T0X1Cx
  • pi-hole/FTL/security/advisories/GHSA-vfmq-jrx3-wv3c
  • pi-hole/FTL/security/advisories/GHSA-wxhv-w77q-6qwp
  • pi-hole/FTL/security/advisories/GHSA-28g5-gg88-wh5m
  • pi-hole/FTL/security/advisories/GHSA-fqv2-qhfh-ghcj
  • pi-hole/FTL/security/advisories/GHSA-23w8-7333-p9fj

No More DNS Interruptions During Gravity Updates

FTL will now wait for a running pihole -g to finish before restarting, rather than potentially cutting it short and leaving your Pi-hole unable to serve DNS in the interim. This has been a long-standing edge case — it’s now properly handled. (FTL #2419)

MAC Address Name Resolution Control

A new resolver.macNames config option lets you control whether FTL attempts to resolve hostnames via MAC addresses. Useful if you’re running a network setup where clients aren’t all on the same Layer 2 segment and this behaviour was causing issues. (FTL #2790)

Other notable fixes

• Query log showing millions of pages? A subtle integer underflow could cause the query counter to wrap to ~1.84×10¹⁹, making the log appear to have an absurd number of pages. Fixed. (FTL #2815)
• Rate-limited queries inflating client counts — The “Top Clients” counter was being incremented before the rate limiter could reject a query, leading to inflated numbers. Fixed. (FTL #2814)
• overTime graphs incorrect with database.DBimport = false — Garbage collection would never run in this configuration, causing memory to grow unboundedly and overTime data to be wrong. Fixed. (FTL #2788)