Pi-hole has shipped a security-focused release that closes six vulnerabilities across its Core and FTL components, including a remote code execution bug in CivetWeb configuration injection and a local privilege escalation path from the pihole user to root via /etc/pihole/logrotate. Both carry a High severity rating, as do a session expiration bypass and a denial-of-service vector caused by missing rate limiting on the web UI and API. Two lower-severity issues, a log injection that chained into RCE through Lua server-page evaluation (Moderate) and a CRLF/HTTP header injection via group name (Low), round out the advisory list. Anyone running Pi-hole on a Raspberry Pi, home server, or LXC container should update promptly with pihole -up.

Beyond the security fixes, FTL 6.7 bumps two critical embedded dependencies. The built-in DNS resolver now runs dnsmasq v2.93, and the database engine moves to SQLite3 v3.53.1. The release also adds build support for Fedora 44 and Ubuntu 26.04 LTS, and resolves a compatibility issue with iCloud Private Relay zones that was causing incorrect query attribution. MAC vendor lookups now use longest-prefix matching for sub-allocated IEEE blocks (MA-M and MA-S), so devices that previously showed as "unknown" should be correctly identified on the DHCP leases page.

The web interface (v6.6) gets a long-requested feature: a proper DHCP static leases editor that replaces the minimal form from the v6 launch with a full add/edit/remove workflow. Reverse DNS server configuration (dns.revServers) also has a reworked UI, and the Lists page now includes clearer hints and help text. Error messages throughout FTL have been rewritten to be more human-readable, with a custom message for SQLite UNIQUE constraint violations replacing the raw database error.

The release is available now. Existing installations can update with pihole -up, and Docker users can pull the 2026.07.0 tag. Configuration can be backed up beforehand using the Teleporter export in the web interface or via pihole-FTL --teleporter on the command line.