Netgate Secure networking solutions

By the Year

In 2026 there have been 2 vulnerabilities in Netgate with an average score of 7.8 out of ten. Last year, in 2025 Netgate had 12 security vulnerabilities published. Right now, Netgate is on track to have less security vulnerabilities in 2026 than it did last year.

Recent Netgate Security Vulnerabilities

CVE	Date	Vulnerability	Products
CVE-2019-25271	Feb 04, 2026	NETGATE Data Backup 3.0.620 NGDatBckpSrv Unquoted Path LocalSys Exec NETGATE Data Backup 3.0.620 contains an unquoted service path vulnerability in its NGDatBckpSrv Windows service configuration. Attackers can exploit the unquoted path to inject and execute malicious code with LocalSystem privileges by placing executable files in specific directory locations.
CVE-2019-25269	Feb 04, 2026	Unquoted Service Path in Amiti Antivirus 25.0.640 (Windows) Amiti Antivirus 25.0.640 contains an unquoted service path vulnerability in its Windows service configurations. Attackers can exploit the unquoted path to inject and execute malicious code with elevated LocalSystem privileges by placing executable files in specific directory locations.
CVE-2025-12490	Nov 06, 2025	Netgate pfSense Suricata Path Traversal RCE Netgate pfSense CE Suricata Path Traversal Remote Code Execution Vulnerability. This vulnerability allows remote attackers to create arbitrary files on affected installations of Netgate pfSense. Authentication is required to exploit this vulnerability. The specific flaw exists within the Suricata package. The issue results from the lack of proper validation of a user-supplied path prior to using it in file operations. An attacker can leverage this vulnerability to create files in the context of root. Was ZDI-CAN-28085.	Pfsense
CVE-2025-34178	Sep 09, 2025	pfSense CE Stored XSS in suricata_app_parsers.php via policy_name In pfSense CE /suricata/suricata_app_parsers.php, the value of the policy_name parameter is not sanitized of HTML-related strings/characters before being directly displayed. This can result in stored cross-site scripting. The attacker must be authenticated with at least "WebCfg - Services: suricata package" permissions.	Pfsense Ce Pfsense Plus
CVE-2025-34177	Sep 09, 2025	Stored XSS in pfSense CE Suricata suricata_flow_stream.php In pfSense CE /suricata/suricata_flow_stream.php, the value of the policy_name parameter is not sanitized of HTML-related strings/characters before being directly displayed. This can result in stored cross-site scripting. The attacker must be authenticated with at least "WebCfg - Services: suricata package" permissions.	Pfsense Ce Pfsense Pfsense Plus And others...
CVE-2025-34176	Sep 09, 2025	CVE-2025-34176: Authenticated Directory Traversal in pfSense Suricata IP Rep In pfSense CE /suricata/suricata_ip_reputation.php, the value of the iplist parameter is not sanitized of directory traversal-related strings/characters. This value is directly used in a file existence check operation. While the contents of the file cannot be read, the server reveals whether the file exists, which enables an attacker to enumerate files on the target. The attacker must be authenticated with at least "WebCfg - Services: suricata package" permissions.	Pfsense Ce Pfsense Plus
CVE-2025-34175	Sep 09, 2025	XSS via unsanitized filehash on pfSense CE suricata_filecheck.php In pfSense CE /usr/local/www/suricata/suricata_filecheck.php, the value of the filehash parameter is directly displayed without sanitizing for HTML-related characters/strings. This can result in reflected cross-site scripting if the victim is authenticated.	Pfsense Ce Pfsense Pfsense Plus And others...
CVE-2025-34174	Sep 09, 2025	Stored-XSS in pfSense CE Status Traffic Totals Page via unsanitized start-day In pfSense CE /usr/local/www/status_traffic_totals.php, the value of the start-day parameter is not ensured to be a numeric value or sanitized of HTML-related characters/strings before being directly displayed in the input box. This value can be saved as the default value to be displayed to all users when visiting the Status Traffic Totals page, resulting in stored cross-site scripting. The attacker must be authenticated with at least "WebCfg - Status: Traffic Totals" permissions.	Pfsense Ce Pfsense Pfsense Plus And others...
CVE-2025-34173	Sep 09, 2025	Directory Traversal in pfSense CE Snort Module Reveals File Existence In pfSense CE /usr/local/www/snort/snort_ip_reputation.php, the value of the iplist parameter is not sanitized of directory traversal-related characters/strings before being used to check if a file exists. While the contents of the file cannot be read, the server reveals whether a file exists, which allows an attacker to enumerate files on the target. The attacker must be authenticated with at least "WebCfg - Services: Snort package" permissions.	Pfsense Ce Pfsense Plus
CVE-2025-34172	Sep 09, 2025	XSS in pfSense CE via showsticktablecontent GET param In pfSense CE /usr/local/www/haproxy/haproxy_stats.php, the value of the showsticktablecontent parameter is displayed after being read from HTTP GET requests. This can enable reflected cross-site scripting when the victim is authenticated.	Pfsense Ce Pfsense Plus
CVE-2025-53392	Jun 28, 2025	pfSense CE 2.8.0 WebCfg Diag: Command dir traversal via diag_command.php In Netgate pfSense CE 2.8.0, the "WebCfg - Diagnostics: Command" privilege allows reading arbitrary files via diag_command.php dlPath directory traversal. NOTE: the Supplier's perspective is that this is intended behavior for this privilege level, and that system administrators are informed through both the product documentation and UI.	Pfsense Ce
CVE-2024-54779	May 14, 2025	XSS in pfSense CE Log Widget <2.8.0 beta – Netgate Netgate pfSense CE (prior to 2.8.0 beta release) and corresponding Plus builds is vulnerable to Cross Site Scripting (XSS) in widgets/log.widget.php.	Pfsense Ce Pfsense Plus
CVE-2024-57273	May 14, 2025	CVE-2024-57273: pfSense CE <2.8.0 beta XSS in ACB 'reason' field Netgate pfSense CE (prior to 2.8.0 beta release) and corresponding Plus builds is vulnerable to Cross-site scripting (XSS) in the Automatic Configuration Backup (ACB) service, allowing remote attackers to execute arbitrary JavaScript, delete backups, or leak sensitive information via an unsanitized "reason" field and a derivable device key generated from the public SSH key.	Pfsense Ce Pfsense Plus Pfsense And others...
CVE-2024-54780	May 14, 2025	Netgate pfSense CE <2.8.0 Beta: OpenVPN Widget CMD Injection via remipp Netgate pfSense CE (prior to 2.8.0 beta release) and corresponding Plus builds are vulnerable to command injection in the OpenVPN widget due to improper sanitization of user-supplied input to the OpenVPN management interface. An authenticated attacker can exploit this vulnerability by injecting arbitrary OpenVPN management commands via the remipp parameter.	Pfsense Ce Pfsense Plus Pfsense And others...
CVE-2024-46538	Oct 22, 2024	XSS in pfSense v2.5.2 via interfaces_groups_edit.php ($pconfig injection) A cross-site scripting (XSS) vulnerability in pfsense v2.5.2 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the $pconfig variable at interfaces_groups_edit.php.	Pfsense
CVE-2023-48795	Dec 18, 2023	OpenSSH <9.6 BPP handshake flaw allows integrity bypass (Terrapin attack) The SSH transport protocol with certain OpenSSH extensions, found in OpenSSH before 9.6 and other products, allows remote attackers to bypass integrity checks such that some packets are omitted (from the extension negotiation message), and a client and server may consequently end up with a connection for which some security features have been downgraded or disabled, aka a Terrapin attack. This occurs because the SSH Binary Packet Protocol (BPP), implemented by these extensions, mishandles the handshake phase and mishandles use of sequence numbers. For example, there is an effective attack against SSH's use of ChaCha20-Poly1305 (and CBC with Encrypt-then-MAC). The bypass occurs in chacha20-poly1305@openssh.com and (if CBC is used) the -etm@openssh.com MAC algorithms. This also affects Maverick Synergy Java SSH API before 3.1.0-SNAPSHOT, Dropbear through 2022.83, Ssh before 5.1.1 in Erlang/OTP, PuTTY before 0.80, AsyncSSH before 2.14.2, golang.org/x/crypto before 0.17.0, libssh before 0.10.6, libssh2 through 1.11.0, Thorn Tech SFTP Gateway before 3.4.6, Tera Term before 5.1, Paramiko before 3.4.0, jsch before 0.2.15, SFTPGo before 2.5.6, Netgate pfSense Plus through 23.09.1, Netgate pfSense CE through 2.7.2, HPN-SSH through 18.2.0, ProFTPD before 1.3.8b (and before 1.3.9rc2), ORYX CycloneSSH before 2.3.4, NetSarang XShell 7 before Build 0144, CrushFTP before 10.6.0, ConnectBot SSH library before 2.2.22, Apache MINA sshd through 2.11.0, sshj through 0.37.0, TinySSH through 20230101, trilead-ssh2 6401, LANCOM LCOS and LANconfig, FileZilla before 3.66.4, Nova before 11.8, PKIX-SSH before 14.4, SecureCRT before 9.4.3, Transmit5 before 5.10.4, Win32-OpenSSH before 9.5.0.0p1-Beta, WinSCP before 6.2.2, Bitvise SSH Server before 9.32, Bitvise SSH Client before 9.33, KiTTY through 0.76.1.13, the net-ssh gem 7.2.0 for Ruby, the mscdex ssh2 module before 1.15.0 for Node.js, the thrussh library before 0.35.1 for Rust, and the Russh crate before 0.40.2 for Rust.	Pfsense Plus Pfsense Ce
CVE-2023-48123	Dec 06, 2023	RCE via packet_capture.php in Netgate pfSense v23.05.1 An issue in Netgate pfSense Plus v.23.05.1 and before and pfSense CE v.2.7.0 allows a remote attacker to execute arbitrary code via a crafted request to the packet_capture.php file.	Pfsense Pfsense Plus
CVE-2023-42326	Nov 14, 2023	Netgate pfSense 2.7.0 RCE via interfaces_gif_edit.php/gre_edit.php An issue in Netgate pfSense v.2.7.0 allows a remote attacker to execute arbitrary code via a crafted request to the interfaces_gif_edit.php and interfaces_gre_edit.php components.	Pfsense Pfsense Plus
CVE-2023-42325	Nov 14, 2023	XSS in pfSense 2.7.0 status_logs_filter_dynamic.php Cross Site Scripting (XSS) vulnerability in Netgate pfSense v.2.7.0 allows a remote attacker to gain privileges via a crafted url to the status_logs_filter_dynamic.php page.	Pfsense
CVE-2023-42327	Nov 14, 2023	CVE-2023-42327 XSS in Netgate pfSense 2.7.0 getserviceproviders.php Priv Esc Cross Site Scripting (XSS) vulnerability in Netgate pfSense v.2.7.0 allows a remote attacker to gain privileges via a crafted URL to the getserviceproviders.php page.	Pfsense
CVE-2023-29973	Oct 25, 2023	Pfsense CE 2.6.0: No rate limit allows malicious user creation Pfsense CE version 2.6.0 is vulnerable to No rate limit which can lead to an attacker creating multiple malicious users in firewall.	Pfsense
CVE-2020-21487	Apr 04, 2023	XSS via RootFolder in Netgate pfSense 2.4.4 ACME v0.6.3 Cross Site Scripting vulnerability found in Netgate pfSense 2.4.4 and ACME package v.0.6.3 allows attackers to execute arbitrary code via the RootFolder field of acme_certificates.php.	Pfsense Pfsense Acme Package
CVE-2023-27100	Mar 22, 2023	SSHGuard BruteForce Bypass in pfSense v22.05.1 & CE v2.6.0 Improper restriction of excessive authentication attempts in the SSHGuard component of Netgate pfSense Plus software v22.05.1 and pfSense CE software v2.6.0 allows attackers to bypass brute force protection mechanisms via crafted web requests.	Pfsense Plus Pfsense
CVE-2023-27253	Mar 17, 2023	pfSense v2.7.0 Command Injection in restore_rrddata() via config.xml A command injection vulnerability in the function restore_rrddata() of Netgate pfSense v2.7.0 allows authenticated attackers to execute arbitrary commands via manipulating the contents of an XML file supplied to the component config.xml.	Pfsense
CVE-2022-29273	Feb 22, 2023	pfSense CE/Plus < 2.6.0/22.05: XSS in WebGUI via URL Table Alias pfSense CE through 2.6.0 and pfSense Plus before 22.05 allow XSS in the WebGUI via URL Table Alias URL parameters.	Pfsense
CVE-2022-40624	Dec 20, 2022	pfBlockerNG <=2.1.4_27 Remote Exec via Host Header in pfSense pfSense pfBlockerNG through 2.1.4_27 allows remote attackers to execute arbitrary OS commands as root via the HTTP Host header, a different vulnerability than CVE-2022-31814.	Pfsense
CVE-2020-21219	Dec 15, 2022	Cross Site Scripting in Netgate pfSense 2.4.4-Release-p3 (ACME 0.6.3) Cross Site Scripting (XSS) vulnerability in Netgate pf Sense 2.4.4-Release-p3 and Netgate ACME package 0.6.3 allows remote attackers to to run arbitrary code via the RootFolder field to acme_certificate_edit.php page of the ACME package.	Pfsense Acme
CVE-2022-42247	Oct 03, 2022	pfSense 2.5.2 XSS in browser.php via crafted file name pfSense v2.5.2 was discovered to contain a cross-site scripting (XSS) vulnerability in the browser.php component. This vulnerability allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into a file name.	Pfsense
CVE-2022-31814	Sep 05, 2022	pfSense pfBlockerNG <=2.1.4_26 Remote OS Command Injection via Host Header pfSense pfBlockerNG through 2.1.4_26 allows remote attackers to execute arbitrary OS commands as root via shell metacharacters in the HTTP Host header. NOTE: 3.x is unaffected.	Pfblockerng
CVE-2021-20729	Mar 31, 2022	Cross-site scripting vulnerability in pfSense CE and pfSense Plus (pfSense CE software versions 2.5.2 and earlier, and pfSense Plus software versions 21.05 and earlier) Cross-site scripting vulnerability in pfSense CE and pfSense Plus (pfSense CE software versions 2.5.2 and earlier, and pfSense Plus software versions 21.05 and earlier) allows a remote attacker to inject an arbitrary script via a malicious URL.	Pfsense Plus
CVE-2022-24299	Mar 31, 2022	Improper input validation vulnerability in pfSense CE and pfSense Plus (pfSense CE software versions prior to 2.6.0 and pfSense Plus software versions prior to 22.01) Improper input validation vulnerability in pfSense CE and pfSense Plus (pfSense CE software versions prior to 2.6.0 and pfSense Plus software versions prior to 22.01) allows a remote attacker with the privilege to change OpenVPN client or server settings to execute an arbitrary command.	Pfsense Pfsense Plus
CVE-2022-26019	Mar 31, 2022	Improper access control vulnerability in pfSense CE and pfSense Plus (pfSense CE software versions prior to 2.6.0 and pfSense Plus software versions prior to 22.01) Improper access control vulnerability in pfSense CE and pfSense Plus (pfSense CE software versions prior to 2.6.0 and pfSense Plus software versions prior to 22.01) allows a remote attacker with the privilege to change NTP GPS settings to rewrite existing files on the file system, which may result in arbitrary command execution.	Pfsense Pfsense Plus
CVE-2020-19203	Jul 12, 2021	An authenticated Cross-Site Scripting (XSS) vulnerability was found in widgets/widgets/wake_on_lan_widget.php An authenticated Cross-Site Scripting (XSS) vulnerability was found in widgets/widgets/wake_on_lan_widget.php, a component of the pfSense software WebGUI, on version 2.4.4-p2 and earlier. The widget did not encode the descr (description) parameter of wake-on-LAN entries in its output, leading to a possible stored XSS.	Pfsense
CVE-2020-19201	Jul 12, 2021	A Stored Cross-Site Scripting (XSS) vulnerability was found in status_filter_reload.php A Stored Cross-Site Scripting (XSS) vulnerability was found in status_filter_reload.php, a page in the pfSense software WebGUI, on Netgate pfSense version 2.4.4-p2 and earlier. The page did not encode output from the filter reload process, and a stored XSS was possible via the descr (description) parameter on NAT rules.	Pfsense
CVE-2020-10797	Apr 29, 2020	An XSS vulnerability resides in the hostname field of the diag_ping.php page in pfsense before 2.4.5 version An XSS vulnerability resides in the hostname field of the diag_ping.php page in pfsense before 2.4.5 version. After passing inputs to the command and executing this command, the $result variable is not sanitized before it is printed.	Pfsense
CVE-2020-11457	Apr 01, 2020	pfSense before 2.4.5 has stored XSS in system_usermanager_addprivs.php in the WebGUI pfSense before 2.4.5 has stored XSS in system_usermanager_addprivs.php in the WebGUI via the descr parameter (aka full name) of a user.	Pfsense
CVE-2019-16667	Sep 26, 2019	diag_command.php in pfSense 2.4.4-p3 allows CSRF via the txtCommand or txtRecallBuffer field, as demonstrated by executing OS commands diag_command.php in pfSense 2.4.4-p3 allows CSRF via the txtCommand or txtRecallBuffer field, as demonstrated by executing OS commands. This occurs because csrf_callback() produces a "CSRF token expired" error and a Try Again button when a CSRF token is missing.	Pfsense
CVE-2019-16914	Sep 26, 2019	An XSS issue was discovered in pfSense through 2.4.4-p3 An XSS issue was discovered in pfSense through 2.4.4-p3. In services_captiveportal_mac.php, the username and delmac parameters are displayed without sanitization.	Pfsense
CVE-2019-16915	Sep 26, 2019	An issue was discovered in pfSense through 2.4.4-p3 An issue was discovered in pfSense through 2.4.4-p3. widgets/widgets/picture.widget.php uses the widgetkey parameter directly without sanitization (e.g., a basename call) for a pathname to file_get_contents or file_put_contents.	Pfsense
CVE-2019-16701	Sep 25, 2019	pfSense through 2.3.4 through 2.4.4-p3 pfSense through 2.3.4 through 2.4.4-p3 allows Remote Code Injection via a methodCall XML document with a pfsense.exec_php call containing shell metacharacters in a parameter value.	Pfsense
CVE-2019-12949	Jun 25, 2019	In pfSense 2.4.4-p2 and 2.4.4-p3, if it is possible to trick an authenticated administrator into clicking on a button on a phishing page, an attacker can leverage XSS to upload arbitrary executable code In pfSense 2.4.4-p2 and 2.4.4-p3, if it is possible to trick an authenticated administrator into clicking on a button on a phishing page, an attacker can leverage XSS to upload arbitrary executable code, via diag_command.php and rrd_fetch_json.php (timePeriod parameter), to a server. Then, the remote attacker can run any command with root privileges on that server.	Pfsense
CVE-2019-12585	Jun 03, 2019	Apcupsd 0.3.91_5 Apcupsd 0.3.91_5, as used in pfSense through 2.4.4-RELEASE-p3 and other products, has an Arbitrary Command Execution issue in apcupsd_status.php.	Pfsense
CVE-2019-12584	Jun 03, 2019	Apcupsd 0.3.91_5 Apcupsd 0.3.91_5, as used in pfSense through 2.4.4-RELEASE-p3 and other products, has an XSS issue in apcupsd_status.php.	Pfsense
CVE-2019-12347	May 29, 2019	In pfSense 2.4.4-p3, a stored XSS vulnerability occurs when attackers inject a payload into the Name or Description field In pfSense 2.4.4-p3, a stored XSS vulnerability occurs when attackers inject a payload into the Name or Description field via an acme_accountkeys_edit.php action. The vulnerability occurs due to input validation errors.	Pfsense
CVE-2019-11816	May 20, 2019	Incorrect access control in the WebUI in OPNsense before version 19.1.8, and pfsense before 2.4.4-p3 Incorrect access control in the WebUI in OPNsense before version 19.1.8, and pfsense before 2.4.4-p3 allows remote authenticated users to escalate privileges to administrator via a specially crafted request.	Pfsense
CVE-2018-20799	Mar 01, 2019	In pfSense 2.4.4_1, blocking of source IP addresses on the basis of failed HTTPS authentication is inconsistent with blocking of source IP addresses on the basis of failed SSH authentication (the behavior does not match the sshguard documentation) In pfSense 2.4.4_1, blocking of source IP addresses on the basis of failed HTTPS authentication is inconsistent with blocking of source IP addresses on the basis of failed SSH authentication (the behavior does not match the sshguard documentation), which might make it easier for attackers to bypass intended access restrictions.	Pfsense
CVE-2018-20798	Mar 01, 2019	The expiretable configuration in pfSense 2.4.4_1 establishes block durations The expiretable configuration in pfSense 2.4.4_1 establishes block durations that are incompatible with the block durations implemented by sshguard, which might make it easier for attackers to bypass intended access restrictions.	Pfsense
CVE-2019-8953	Feb 20, 2019	The HAProxy package before 0.59_16 for pfSense has XSS The HAProxy package before 0.59_16 for pfSense has XSS via the desc (aka Description) or table_actionsaclN parameter, related to haproxy_listeners.php and haproxy_listeners_edit.php.	Haproxy
CVE-2018-4019	Dec 03, 2018	An exploitable command injection vulnerability exists in the way Netgate pfSense CE 2.4.4-RELEASE processes the parameters of a specific POST request An exploitable command injection vulnerability exists in the way Netgate pfSense CE 2.4.4-RELEASE processes the parameters of a specific POST request. The attacker can exploit this and gain the ability to execute arbitrary commands on the system. An attacker needs to be able to send authenticated POST requests to the administration web interface. Command injection is possible in the `powerd_normal_mode` parameter.	Pfsense
CVE-2018-4021	Dec 03, 2018	An exploitable command injection vulnerability exists in the way Netgate pfSense CE 2.4.4-RELEASE processes the parameters of a specific POST request An exploitable command injection vulnerability exists in the way Netgate pfSense CE 2.4.4-RELEASE processes the parameters of a specific POST request. The attacker can exploit this and gain the ability to execute arbitrary commands on the system. An attacker needs to be able to send authenticated POST requests to the administration web interface. Command injection is possible in the `powerd_battery_mode` POST parameter.	Pfsense