Pi-hole releases FTL v6.6, Web v6.5, and Core v6.4.1 with security fixes, adds MAC control

Pi-hole has released FTL v6.6, Web v6.5, and Core v6.4.1, with the latest Docker image tagged as 2026.04.0. The update fixes several security issues across the web interface, FTL, and Core, including stored and reflected XSS and HTML injection flaws affecting components such as queries.js, the Network page, and the Dashboard. These vulnerabilities were reported by security researchers andrejtomci, n1rwhex, and mzalzahrani.

The release also patches a local privilege escalation issue in the Core component by replacing unsafe script sourcing with a validated parser. In FTL, Pi-hole closed an authorization bypass that let command line API sessions import Teleporter archives, and fixed a newline injection flaw in configuration handling that could allow remote code execution through manipulated DNS or DHCP parameters.

On the reliability side, FTL v6.6 now waits for an active gravity update to finish before restarting, helping prevent temporary DNS outages. The update also adds a resolver.macNames option for controlling MAC based hostname resolution in more complex network setups, while other fixes address query log underflows, inflated Top Clients stats, and memory growth when overTime graph imports are disabled. Users are advised to back up their setup with Teleporter and review the changelogs before updating.