CVE-2026-44693

Description

Pi-hole FTL is the core engine of the Pi-hole network-level advertisement and tracker blocker. Prior to version 6.6.1, Pi-hole FTL contains a race condition vulnerability in the HTTP session management subsystem, introduced with the v6.0 rewrite of the embedded CivetWeb-based web server. This issue has been patched in version 6.6.1.

CVSS breakdown

CVSS 3.1

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

Required

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Affected products

pi-hole / FTL< 6.6.1 – < 6.6.1

References

VENDOR_ADVISORYhttps://github.com/pi-hole/FTL/security/advisories/GHSA-9ff5-f3v5-2xc7
PATCHhttps://github.com/pi-hole/FTL/releases/tag/v6.6.1