Pi-hole FTL v6.7, Web v6.6 and Core v6.4.3 Released!
As always, please read through the changelogs before updating with pihole -up
Don’t forget, you can use Teleporter to export your configuration. It can be found under the settings menu of the web interface or on the command line with pihole-FTL --teleporter
Docker has been tagged as 2026.07.0
Highlights
Security
This release closes out six advisories across Core and FTL. We’d like to thank all of the researchers who took the time to responsibly disclose these issues — several are related to work covered in previous releases, and we’re grateful for the continued scrutiny.
Thank you to supperhellokitty20, rrobgill, T0X1Cx and SakusenSec for responsibly disclosing these issues. Full details for all advisories can be found at the following links:
- pi-hole/pi-hole/security/advisories/GHSA-h8w9-qx2v-wrww — Local privilege escalation from
piholeuser to root via/etc/pihole/logrotate(High) reported by supperhellokitty20 - pi-hole/FTL/security/advisories/GHSA-q6fm-xwxf-37r5 — WebUI (& API) DoS via lack of rate limiting (High) reported by rrobgill
- pi-hole/FTL/security/advisories/GHSA-w8cr-2cwg-92cg — Session expiration bypass (High) reported by T0X1Cx
- pi-hole/FTL/security/advisories/GHSA-8j7w-m3cr-6q6x — Remote Code Execution via CivetWeb configuration injection (High) reported by SakusenSec
- pi-hole/FTL/security/advisories/GHSA-g7v8-8q8f-hprp — Log injection in the access-log writer chaining to RCE via Lua-server-page evaluation (Moderate)
- pi-hole/FTL/security/advisories/GHSA-r5vh-5q82-jg7q — CRLF injection / HTTP header injection via group name (Low) reported by T0X1Cx
Updated embedded components
FTL now ships with an updated embedded dnsmasq v2.93 and SQLite3 v3.53.1, keeping the core resolver and database layer current. (FTL #2890, FTL #2891)
A brand new DHCP static leases editor
Managing DHCP leases from the web interface has been one of the most frequently requested improvements since we released v6, and this release finally delivers it. The static leases interface has been completely reworked into a proper editor: adding, editing and removing reserved leases should now feel more intuitive. (Web #3766)
Thank you to everyone who’s asked for this over the years and to @rdwebdesign for making it happen.
iCloud Private Relay and better MAC vendor resolution
A fix landed for iCloud Private Relay zones (FTL #2919), and MAC vendor lookups now resolve sub-allocated blocks (MA-M / MA-S) via longest-prefix match, so more devices are correctly identified (FTL #2907).
Other web interface improvements
Editing reverse DNS servers (dns.revServers) now has a much friendlier interface, and the Lists page has clearer hints and help text. (Web #3769, Web #3798)
Friendlier error messages
Error messages across FTL have been made more human friendly, including a custom message for UNIQUE constraint errors, so it’s clearer what’s gone wrong when something does. (FTL #2878, FTL #2879)
Details of all other fixes can be found below!
FTL v6.7
What’s Changed
- Performance optimizations and bug fixes by @DL6ER in #2816
- fix: check NULL returns from strdup/calloc in rotate_files() by @jluzzi123 in #2875
- Make error messages more human friendly by @yubiuser in #2878
- Harden API/database races in civetweb and DB threads by @DL6ER in #2881
- Update embedded SQLite3 to v3.53.1 by @DL6ER in #2891
- Fix build on Fedora 44 by @darkexplosiveqwx in #2893
- macvendor: resolve sub-allocated blocks (MA-M/MA-S) via longest-prefix match by @RamSet in #2907
- Update embedded dnsmasq to v2.93 by @DL6ER in #2890
- fix OOB write in FTL_parse_pseudoheaders when optlen is 0 by @rdevshp in #2910
- Update a single text description “PRIVATE KEY” by @DoctorD90 in #2884
- add optional dnsmasq features to cmake by @darkexplosiveqwx in #2874
- Fix building on alpine 3.24 by @yubiuser in #2911
- Bats by @yubiuser in #2872
- Improve crash backtraces for non-reproducible faults by @DL6ER in #2880
- Fix gzip.c inflate_buffer CRC signed left shift undefined behavior by @rdevshp in #2916
- Fix for iCloud Private Relay zones by @DL6ER in #2919
- fix tar parsing by @rdevshp in #2914
- Allow using local
manufs to generate macvendor.db by @darkexplosiveqwx in #2918 - Use custom message for UNIQUE constraint error message by @rdwebdesign in #2879
- Re-resolve client groups event-driven, drop periodic recheck by @DL6ER in #2922
- Guard against invalid gzip data in gzip.c inflate_buffer by @rdevshp in #2915
- Fix BATS test of no ERRORS in FTL.log to allow capturing the output by @yubiuser in #2927
- fix(cli): warn when –config cannot read pihole.toml (#2849) by @DL6ER in #2930
- fix(api-docs): correct three OpenAPI spec issues (#2867) by @DL6ER in #2929
- fix: avoid segfault in dnsmasq-test on unreadable config file by @DL6ER in #2928
- Fix prefix-match bug and improve fallthrough logging in redirect_root_handler by @slmingol in #2933
- Swap misaligned comments for domain-needed and expand-hosts. by @0xpsyduck in #2932
- Code review July 2026 by @DL6ER in #2935
- Pi-hole FTL v6.7 by @PromoFaux in #2936
Security advisories
- pi-hole/FTL/security/advisories/GHSA-q6fm-xwxf-37r5
- pi-hole/FTL/security/advisories/GHSA-w8cr-2cwg-92cg
- pi-hole/FTL/security/advisories/GHSA-8j7w-m3cr-6q6x
- pi-hole/FTL/security/advisories/GHSA-g7v8-8q8f-hprp
- pi-hole/FTL/security/advisories/GHSA-r5vh-5q82-jg7q
New Contributors
- @jluzzi123 made their first contribution in #2875
- @RamSet made their first contribution in #2907
- @rdevshp made their first contribution in #2910
- @DoctorD90 made their first contribution in #2884
- @slmingol made their first contribution in #2933
- @0xpsyduck made their first contribution in #2932
Full Changelog: v6.6.2…v6.7
Core v6.4.3
What’s Changed
- Also hardcode the PID file location in utils.sh to prevent
readonly variablewarning by @PromoFaux in #6613 - Use
awkto compare curl versions by @rdwebdesign in #6621 - Explicitly add
gawkto APK dependencies by @yubiuser in #6622 - Prevent double error message output in gravity run with invalid file by @PromoFaux in #6607
- Replace pytest/tox with direct in-container BATS by @PromoFaux in #6598
- Add Fedora 44 and Ubuntu 26.04 LTS to tests by @darkexplosiveqwx in #6623
- Add gravity tests by @yubiuser in #6639
- Set BATS pretty output flag depending on the terminal and improve failure output by @yubiuser in #6644
- fix: check return codes in gravity_build_tree and database_recovery() by @jluzzi123 in #6630
- Include alpine 3.24 in tests by @yubiuser in #6654
- installer: fix custom DNS entry when only one upstream server is provided by @Gilmoursa in #6638
- Fix BATS gravity test on curl version >=8.21 by @yubiuser in #6661
- avoid copytruncate in logrotate by @darkexplosiveqwx in #6642
- v6.4.3 by @PromoFaux in #6618
Security advisories
New Contributors
- @jluzzi123 made their first contribution in #6630
- @Gilmoursa made their first contribution in #6638
Full Changelog: v6.4.2…v6.4.3
Web v6.6
What’s Changed
- Improve DHCP static leases interface (alternative) by @rdwebdesign in #3766
- Lists page – Improve hints and help text by @rdwebdesign in #3798
- Update daterangepicker ranges everytime the picker is shown by @yubiuser in #3793
- Better user interface to edit reverse DNS servers (dns.revServers) by @rdwebdesign in #3769
Full Changelog: v6.5.1…v6.6