Pi-hole FTL v6.6, Web v6.5 and Core v6.4.1 Released!
As always, please read through the changelogs before updating with pihole -up
Don’t forget, you can use Teleporter to export your configuration. It can be found under the settings menu of the web interface or on the command line with pihole-FTL --teleporter
This release has also been tagged on Docker as 2026.04.0
Highlights
Security
Thank you to andrejtomci for responsibly disclosing multiple web interface vulnerabilities covering a range of XSS and HTML injection attack vectors.
Thank you to smittix for responsibly disclosing a local privilege escalation vulnerability in the Core component, where /etc/pihole/versions could be sourced by root-run Pi-hole scripts, allowing code execution as root in a post-compromise scenario. This has been fixed by replacing the source call with a safe parser that only assigns known keys with validated values.
Thank you to mzalzahrani for responsibly disclosing an authorization bypass in FTL, where CLI API sessions (intended to be read-only) were able to import Teleporter archives via /api/teleporter, bypassing the restrictions correctly enforced on /api/config. This has been fixed by applying the same CLI session check to the Teleporter import endpoint.
Thank you to T0X1Cx for responsibly disclosing a newline injection vulnerability in FTL, where several configuration parameters — including dns.upstreams, dns.hostRecord, dns.cnameRecords, dhcp.leaseTime, and dhcp.hosts — lacked validation against newline characters, allowing an authenticated attacker to inject arbitrary dnsmasq configuration directives. This has been fixed by adding newline validation to the affected config items.
Full details for all advisories can be found at the following links:
- Multiple Stored HTML Injections and XSS in different web interface pages reported by andrejtomci
- GHSA-c935-8g63-qp74 – Local Privilege Escalation reported by smittix
- GHSA-r7g8-3fj7-m5qq – Authorization bypass: CLI API sessions can import Teleporter archives and modify configuration reported by mzalzahrani
- Remote Code Execution (RCE) via Newline Injection in Multiple Configuration Parameters reported by T0X1Cx
No More DNS Interruptions During Gravity Updates
FTL will now wait for a running pihole -g to finish before restarting, rather than potentially cutting it short and leaving your Pi-hole unable to serve DNS in the interim. This has been a long-standing edge case — it’s now properly handled. (FTL #2419)
MAC Address Name Resolution Control
A new resolver.macNames config option lets you control whether FTL attempts to resolve hostnames via MAC addresses. Useful if you’re running a network setup where clients aren’t all on the same Layer 2 segment and this behaviour was causing issues. (FTL #2790)
Other notable fixes
- Query log showing millions of pages? A subtle integer underflow could cause the query counter to wrap to ~1.84×10¹⁹, making the log appear to have an absurd number of pages. Fixed. (FTL #2815)
- Rate-limited queries inflating client counts — The “Top Clients” counter was being incremented before the rate limiter could reject a query, leading to inflated numbers. Fixed. (FTL #2814)
- overTime graphs incorrect with
database.DBimport = false— Garbage collection would never run in this configuration, causing memory to grow unboundedly and overTime data to be wrong. Fixed. (FTL #2788)
FTL v6.6
What’s Changed
- Fix possible resolver issue on armv5tel by @DL6ER in Fix possible resolver issue on armv5tel #2781
- Introduce CMake options for optional dependencies by @aeolio in Introduce CMake options for optional dependencies #2795
- Fix build without mbedtls [v2] by @aeolio in Fix build without mbedtls [v2] #2796
- Fix overTime data when database.DBimport = false by @DL6ER in Fix overTime data when database.DBimport = false #2788
- Fix cross-compilation issues w/ custom toolchain by @aeolio in Fix cross-compilation issues w/ custom toolchain #2797
- Add new option for controling name resolution via MAC address by @DL6ER in Add new option for controling name resolution via MAC address #2790
- Fix obtaining client groups by name by @DL6ER in Fix obtaining client groups by name #2791
- Ensure API sessions are restored before starting the HTTP server by @DL6ER in Ensure API sessions are restored before starting the HTTP server #2803
- Add form-action ‘self’ to Content-Security-Policy by @yubiuser in Add form-action ‘self’ to Content-Security-Policy #2804
- Add query_frequency to /padd endpoint by @yubiuser in Add query_frequency to /padd endpoint #2806
- Guard query-count counters against unsigned underflow by @DL6ER in Guard query-count counters against unsigned underflow #2815
- Add universal crash backtrace via _Unwind_Backtrace by @DL6ER in Add universal crash backtrace via _Unwind_Backtrace #2811
- config: show totp_secret presence in CLI output by @DL6ER in config: show totp_secret presence in CLI output #2813
- Fix client count inflation for rate-limited queries by @DL6ER in Fix client count inflation for rate-limited queries #2814
- Fix stack buffer overflow in get_process_name() by @DL6ER in Fix stack buffer overflow in get_process_name() #2821
- Do not restart FTL while
pihole -gis still ongoing by @DL6ER in Do not restart FTL whilepihole -gis still ongoing #2419
New Contributors
- @aeolio made their first contribution in Introduce CMake options for optional dependencies #2795
Full Changelog: v6.5…v6.6
Core v6.4.1
What’s Changed
- Remove additional ‘:’ from debug log system time output by @yubiuser in Remove additional ‘:’ from debug log system time output #6551
- Remove
readonlyfrom piholeNetworkFlush.sh to avoid error message by @rdwebdesign in Removereadonlyfrom piholeNetworkFlush.sh to avoid error message #6554 - Add antigravity index by @DL6ER in Add antigravity index #6573
- Fix return status capture of FTL check_download exists by @yubiuser in Fix return status capture of FTL check_download exists #6572
- Remove misleading TODO comment for SetWebPassword by @10adnan75 in Remove misleading TODO comment for SetWebPassword #6531
New Contributors
- @10adnan75 made their first contribution in Remove misleading TODO comment for SetWebPassword #6531
- @copilot made their first contribution in Remove broken Stickermule affiliate link from README #6580
Full Changelog: v6.4…v6.4.1
Web v6.5
What’s Changed
- Amend teleporter help text that the long-term data is not included by @yubiuser in Amend teleporter help text that the long-term data is not included #3721
- Do not use 3 columns when boxed layout is used by @rdwebdesign in Do not use 3 columns when boxed layout is used #3722
- Use ENTER instead of ⏎ by @yubiuser in Use <kbd>ENTER</kbd> instead of <kbd>⏎</kbd> #3727
- Don’t link to github releases if docker tag is nightly by @yubiuser in Don’t link to github releases if docker tag is nightly #3718
- Do not try to compare component version when remote version info is not available by @yubiuser in Do not try to compare component version when remote version info is not available #3729
- Show loading overlay when adding/removing CNAME records as it requires a FTL restart by @yubiuser in Show loading overlay when adding/removing CNAME records as it requires a FTL restart #3742
- fix: check on responseJSON when wrong password by @guybrush2105 in fix: check on responseJSON when wrong password #3693
- Remove the loggingButton from Settings > System > Actions by @yubiuser in Remove the loggingButton from Settings > System > Actions #3747
New Contributors
- @guybrush2105 made their first contribution in fix: check on responseJSON when wrong password #3693
Full Changelog: v6.4.1…v6.5