Pi-hole has released version 2026.04.0, addressing multiple security vulnerabilities and fixing several long-standing bugs in the popular network-level ad blocker. The update patches XSS and HTML injection vectors in the web interface, a local privilege escalation bug in the Core component, an authorization bypass in FTL, and newline injection vulnerabilities that could allow remote code execution. Security researchers andrejtomci, smittix, mzalzahrani, and T0X1Cx responsibly disclosed the issues, which are detailed in GitHub security advisories.
The release also resolves a frustrating edge case where DNS resolution could be interrupted during gravity list updates. FTL now waits for a running pihole -g command to finish before restarting, preventing DNS outages during blocklist updates. Additional fixes include a new resolver.macNames config option for controlling MAC address hostname resolution, useful for multi-segment networks, and corrections for query log pagination bugs that could display millions of phantom pages due to integer underflow.
Users can update immediately with pihole -up and should review the full changelogs before upgrading. The update includes FTL v6.6, Core v6.4.1, and Web v6.5, and is also available as Docker tag 2026.04.0. Configuration exports can be created via Teleporter in the web interface settings or by running pihole-FTL --teleporter on the command line.
