Pi-hole Patches Two Security Vulnerabilities in Latest Release

The Pi-hole project has shipped a security-focused update, bumping FTL to v6.6.1 and Core to v6.4.2 (Docker tag 2026.04.1). The release addresses two responsibly disclosed vulnerabilities, one in each component, with full details published as GitHub Security Advisories GHSA-6w8x-p785-6pm4 and GHSA-9cqv-839p-gpq2. Anyone running Pi-hole should update promptly via pihole -up.

Beyond the security patches, FTL v6.6.1 includes several stability improvements worth noting. Multiple thread-safety fixes resolve crashes (SIGSEGV) that could occur under concurrent API load, and a race condition affecting shared memory strings in API handlers has been eliminated. The update also adds a new GET /api/config/_properties endpoint, improves shutdown diagnostics for identifying SIGTERM sources, and relaxes punycode domain handling to accept entries that libidn2 would reject under strict IDNA2008 rules.

Core v6.4.2 rounds out the release with fixes to file ownership permissions, gravity error reporting that now surfaces curl exit codes, and the addition of logrotate as an explicit dependency for both DEB and RPM packages. The Pi-hole team recommends using the Teleporter feature to export your configuration before upgrading, accessible from the web interface settings or via pihole-FTL --teleporter on the command line.

Related Articles

Pi-hole 2026.02.0 Patches Two Security Flaws and Cuts Startup Delays

Pi-hole 2025.11.1 Brings Performance Boost and Security Hardening

Pi-hole 2026.04.0 Patches Multiple Security Flaws, Fixes DNS Interruptions

Pi-hole FTL and Core Receive Latest Updates