Pi-hole: Update closes security vulnerabilities and delivers more performance

The DNS-based ad blocker Pi-hole patches two security vulnerabilities in its updated version. Additionally, the programmers have implemented changes that boost performance, especially on older Raspberry Pis.

In a blog post on the Pi-hole website, the developers announced the new versions of the components. The security vulnerabilities patched in these versions affect Pi-hole's web interface. Firstly, attackers logged in as administrators could exploit a “Stored HTML Injection” vulnerability to inject HTML code that is displayed when viewing the DNS entry table (CVE-2026-26952, CVSS 5.4, Risk “medium”). Secondly, this is also possible on the API settings website (CVE-2026-26953, CVSS 5.4, Risk “medium”).

Updated Pi-hole Components

The current Pi-hole components FTL 6.5, Web 6.4.1, and Core 6.4 patch the security holes in the web interface. Anyone using Pi-hole should generally ensure that the web GUI is not exposed to the internet and, if necessary, restrict access to the admin machine.

However, the updated parts of Pi-hole offer more. According to the developers, they have improved performance. Startup is now faster because FTL imports the request history asynchronously from the database. Previously, DNS resolution was blocked until the entire request history was loaded into memory. Now, FTL accepts requests immediately and imports the old data in a background thread. To ensure consistency, the garbage collector only starts after the import is complete.

Furthermore, the new configuration option database.forceDisk instructs FTL to move the SQLite3 database, which is normally held in memory, to the storage drive. This reduces memory consumption and is particularly helpful on older Raspberry Pis. The programmers point out that this is especially suitable for Pi-hole instances where the web interface is used infrequently. On systems using only SD cards, this might lead to speed reductions, but no differences were measurable on systems with NVMe drives. The default value is “false” but can be activated, for example, by calling sudo pihole-FTL --config database.forceDisk true.

Additionally, the update of the blocklists, i.e., the Gravity system, should run faster. The domain checking loop is now more efficient – tests with five million entries from multiple lists reduced the update time from 27 to 23 seconds, which corresponds to a 16 percent real-time speed gain and a 22 percent gain in CPU time.

A practical test over a few days on a Raspberry Pi Zero W shows that the developers are not overpromising. Where previously several warnings about excessively high system load in Pi-hole appeared daily, the system now runs smoothly without such complaints and with minimal load. Existing installations can be updated by calling “sudo pihole -up.”

A year ago, the Pi-hole developers released major version 6. This version was also intended to streamline the DNS filtering software. However, the updates now released provide a noticeable improvement, especially in this regard.

(dmk)