Netgate Pfsense

Netgate pfSense Suricata Path Traversal RCE
CVE-2025-12490 - November 06, 2025

Netgate pfSense CE Suricata Path Traversal Remote Code Execution Vulnerability. This vulnerability allows remote attackers to create arbitrary files on affected installations of Netgate pfSense. Authentication is required to exploit this vulnerability. The specific flaw exists within the Suricata package. The issue results from the lack of proper validation of a user-supplied path prior to using it in file operations. An attacker can leverage this vulnerability to create files in the context of root. Was ZDI-CAN-28085.

Directory traversal

Stored XSS in pfSense CE Suricata suricata_flow_stream.php
CVE-2025-34177 - September 09, 2025

In pfSense CE /suricata/suricata_flow_stream.php, the value of the policy_name parameter is not sanitized of HTML-related strings/characters before being directly displayed. This can result in stored cross-site scripting. The attacker must be authenticated with at least "WebCfg - Services: suricata package" permissions.

XSS

XSS via unsanitized filehash on pfSense CE suricata_filecheck.php
CVE-2025-34175 - September 09, 2025

In pfSense CE /usr/local/www/suricata/suricata_filecheck.php, the value of the filehash parameter is directly displayed without sanitizing for HTML-related characters/strings. This can result in reflected cross-site scripting if the victim is authenticated.

XSS

Stored-XSS in pfSense CE Status Traffic Totals Page via unsanitized start-day
CVE-2025-34174 - September 09, 2025

In pfSense CE /usr/local/www/status_traffic_totals.php, the value of the start-day parameter is not ensured to be a numeric value or sanitized of HTML-related characters/strings before being directly displayed in the input box. This value can be saved as the default value to be displayed to all users when visiting the Status Traffic Totals page, resulting in stored cross-site scripting. The attacker must be authenticated with at least "WebCfg - Status: Traffic Totals" permissions.

XSS

Netgate pfSense CE <2.8.0 Beta: OpenVPN Widget CMD Injection via remipp
CVE-2024-54780 - May 14, 2025

Netgate pfSense CE (prior to 2.8.0 beta release) and corresponding Plus builds are vulnerable to command injection in the OpenVPN widget due to improper sanitization of user-supplied input to the OpenVPN management interface. An authenticated attacker can exploit this vulnerability by injecting arbitrary OpenVPN management commands via the remipp parameter.

CVE-2024-57273: pfSense CE <2.8.0 beta XSS in ACB 'reason' field
CVE-2024-57273 - May 14, 2025

Netgate pfSense CE (prior to 2.8.0 beta release) and corresponding Plus builds is vulnerable to Cross-site scripting (XSS) in the Automatic Configuration Backup (ACB) service, allowing remote attackers to execute arbitrary JavaScript, delete backups, or leak sensitive information via an unsanitized "reason" field and a derivable device key generated from the public SSH key.

XSS in pfSense v2.5.2 via interfaces_groups_edit.php ($pconfig injection)
CVE-2024-46538 4.8 - Medium - October 22, 2024

A cross-site scripting (XSS) vulnerability in pfsense v2.5.2 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the $pconfig variable at interfaces_groups_edit.php.

XSS

RCE via packet_capture.php in Netgate pfSense v23.05.1
CVE-2023-48123 8.8 - High - December 06, 2023

An issue in Netgate pfSense Plus v.23.05.1 and before and pfSense CE v.2.7.0 allows a remote attacker to execute arbitrary code via a crafted request to the packet_capture.php file.

Netgate pfSense 2.7.0 RCE via interfaces_gif_edit.php/gre_edit.php
CVE-2023-42326 8.8 - High - November 14, 2023

An issue in Netgate pfSense v.2.7.0 allows a remote attacker to execute arbitrary code via a crafted request to the interfaces_gif_edit.php and interfaces_gre_edit.php components.

Command Injection

CVE-2023-42327 XSS in Netgate pfSense 2.7.0 getserviceproviders.php Priv Esc
CVE-2023-42327 5.4 - Medium - November 14, 2023

Cross Site Scripting (XSS) vulnerability in Netgate pfSense v.2.7.0 allows a remote attacker to gain privileges via a crafted URL to the getserviceproviders.php page.

XSS

XSS in pfSense 2.7.0 status_logs_filter_dynamic.php
CVE-2023-42325 5.4 - Medium - November 14, 2023

Cross Site Scripting (XSS) vulnerability in Netgate pfSense v.2.7.0 allows a remote attacker to gain privileges via a crafted url to the status_logs_filter_dynamic.php page.

XSS

Pfsense CE 2.6.0: No rate limit allows malicious user creation
CVE-2023-29973 4.9 - Medium - October 25, 2023

Pfsense CE version 2.6.0 is vulnerable to No rate limit which can lead to an attacker creating multiple malicious users in firewall.

Allocation of Resources Without Limits or Throttling

XSS via RootFolder in Netgate pfSense 2.4.4 ACME v0.6.3
CVE-2020-21487 9.6 - Critical - April 04, 2023

Cross Site Scripting vulnerability found in Netgate pfSense 2.4.4 and ACME package v.0.6.3 allows attackers to execute arbitrary code via the RootFolder field of acme_certificates.php.

XSS

SSHGuard BruteForce Bypass in pfSense v22.05.1 & CE v2.6.0
CVE-2023-27100 9.8 - Critical - March 22, 2023

Improper restriction of excessive authentication attempts in the SSHGuard component of Netgate pfSense Plus software v22.05.1 and pfSense CE software v2.6.0 allows attackers to bypass brute force protection mechanisms via crafted web requests.

Improper Restriction of Excessive Authentication Attempts

pfSense v2.7.0 Command Injection in restore_rrddata() via config.xml
CVE-2023-27253 8.8 - High - March 17, 2023

A command injection vulnerability in the function restore_rrddata() of Netgate pfSense v2.7.0 allows authenticated attackers to execute arbitrary commands via manipulating the contents of an XML file supplied to the component config.xml.

aka Blind XPath Injection

pfSense CE/Plus < 2.6.0/22.05: XSS in WebGUI via URL Table Alias
CVE-2022-29273 6.1 - Medium - February 22, 2023

pfSense CE through 2.6.0 and pfSense Plus before 22.05 allow XSS in the WebGUI via URL Table Alias URL parameters.

XSS

pfBlockerNG <=2.1.4_27 Remote Exec via Host Header in pfSense
CVE-2022-40624 9.8 - Critical - December 20, 2022

pfSense pfBlockerNG through 2.1.4_27 allows remote attackers to execute arbitrary OS commands as root via the HTTP Host header, a different vulnerability than CVE-2022-31814.

Shell injection

Cross Site Scripting in Netgate pfSense 2.4.4-Release-p3 (ACME 0.6.3)
CVE-2020-21219 6.1 - Medium - December 15, 2022

Cross Site Scripting (XSS) vulnerability in Netgate pf Sense 2.4.4-Release-p3 and Netgate ACME package 0.6.3 allows remote attackers to to run arbitrary code via the RootFolder field to acme_certificate_edit.php page of the ACME package.

XSS

pfSense 2.5.2 XSS in browser.php via crafted file name
CVE-2022-42247 6.1 - Medium - October 03, 2022

pfSense v2.5.2 was discovered to contain a cross-site scripting (XSS) vulnerability in the browser.php component. This vulnerability allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into a file name.

XSS

Improper access control vulnerability in pfSense CE and pfSense Plus (pfSense CE software versions prior to 2.6.0 and pfSense Plus software versions prior to 22.01)
CVE-2022-26019 8.8 - High - March 31, 2022

Improper access control vulnerability in pfSense CE and pfSense Plus (pfSense CE software versions prior to 2.6.0 and pfSense Plus software versions prior to 22.01) allows a remote attacker with the privilege to change NTP GPS settings to rewrite existing files on the file system, which may result in arbitrary command execution.

Directory traversal

Improper input validation vulnerability in pfSense CE and pfSense Plus (pfSense CE software versions prior to 2.6.0 and pfSense Plus software versions prior to 22.01)
CVE-2022-24299 8.8 - High - March 31, 2022

Improper input validation vulnerability in pfSense CE and pfSense Plus (pfSense CE software versions prior to 2.6.0 and pfSense Plus software versions prior to 22.01) allows a remote attacker with the privilege to change OpenVPN client or server settings to execute an arbitrary command.

Improper Input Validation

An authenticated Cross-Site Scripting (XSS) vulnerability was found in widgets/widgets/wake_on_lan_widget.php
CVE-2020-19203 - July 12, 2021

An authenticated Cross-Site Scripting (XSS) vulnerability was found in widgets/widgets/wake_on_lan_widget.php, a component of the pfSense software WebGUI, on version 2.4.4-p2 and earlier. The widget did not encode the descr (description) parameter of wake-on-LAN entries in its output, leading to a possible stored XSS.

A Stored Cross-Site Scripting (XSS) vulnerability was found in status_filter_reload.php
CVE-2020-19201 - July 12, 2021

A Stored Cross-Site Scripting (XSS) vulnerability was found in status_filter_reload.php, a page in the pfSense software WebGUI, on Netgate pfSense version 2.4.4-p2 and earlier. The page did not encode output from the filter reload process, and a stored XSS was possible via the descr (description) parameter on NAT rules.

An XSS vulnerability resides in the hostname field of the diag_ping.php page in pfsense before 2.4.5 version
CVE-2020-10797 - April 29, 2020

An XSS vulnerability resides in the hostname field of the diag_ping.php page in pfsense before 2.4.5 version. After passing inputs to the command and executing this command, the $result variable is not sanitized before it is printed.

pfSense before 2.4.5 has stored XSS in system_usermanager_addprivs.php in the WebGUI
CVE-2020-11457 - April 01, 2020

pfSense before 2.4.5 has stored XSS in system_usermanager_addprivs.php in the WebGUI via the descr parameter (aka full name) of a user.

diag_command.php in pfSense 2.4.4-p3 allows CSRF via the txtCommand or txtRecallBuffer field, as demonstrated by executing OS commands
CVE-2019-16667 8.8 - High - September 26, 2019

diag_command.php in pfSense 2.4.4-p3 allows CSRF via the txtCommand or txtRecallBuffer field, as demonstrated by executing OS commands. This occurs because csrf_callback() produces a "CSRF token expired" error and a Try Again button when a CSRF token is missing.

Session Riding

An issue was discovered in pfSense through 2.4.4-p3
CVE-2019-16915 - September 26, 2019

An issue was discovered in pfSense through 2.4.4-p3. widgets/widgets/picture.widget.php uses the widgetkey parameter directly without sanitization (e.g., a basename call) for a pathname to file_get_contents or file_put_contents.

An XSS issue was discovered in pfSense through 2.4.4-p3
CVE-2019-16914 - September 26, 2019

An XSS issue was discovered in pfSense through 2.4.4-p3. In services_captiveportal_mac.php, the username and delmac parameters are displayed without sanitization.

pfSense through 2.3.4 through 2.4.4-p3
CVE-2019-16701 8.8 - High - September 25, 2019

pfSense through 2.3.4 through 2.4.4-p3 allows Remote Code Injection via a methodCall XML document with a pfsense.exec_php call containing shell metacharacters in a parameter value.

Shell injection

In pfSense 2.4.4-p2 and 2.4.4-p3, if it is possible to trick an authenticated administrator into clicking on a button on a phishing page, an attacker can leverage XSS to upload arbitrary executable code
CVE-2019-12949 - June 25, 2019

In pfSense 2.4.4-p2 and 2.4.4-p3, if it is possible to trick an authenticated administrator into clicking on a button on a phishing page, an attacker can leverage XSS to upload arbitrary executable code, via diag_command.php and rrd_fetch_json.php (timePeriod parameter), to a server. Then, the remote attacker can run any command with root privileges on that server.

Apcupsd 0.3.91_5
CVE-2019-12585 - June 03, 2019

Apcupsd 0.3.91_5, as used in pfSense through 2.4.4-RELEASE-p3 and other products, has an Arbitrary Command Execution issue in apcupsd_status.php.

Apcupsd 0.3.91_5
CVE-2019-12584 - June 03, 2019

Apcupsd 0.3.91_5, as used in pfSense through 2.4.4-RELEASE-p3 and other products, has an XSS issue in apcupsd_status.php.

In pfSense 2.4.4-p3, a stored XSS vulnerability occurs when attackers inject a payload into the Name or Description field
CVE-2019-12347 - May 29, 2019

In pfSense 2.4.4-p3, a stored XSS vulnerability occurs when attackers inject a payload into the Name or Description field via an acme_accountkeys_edit.php action. The vulnerability occurs due to input validation errors.

Incorrect access control in the WebUI in OPNsense before version 19.1.8, and pfsense before 2.4.4-p3
CVE-2019-11816 7.2 - High - May 20, 2019

Incorrect access control in the WebUI in OPNsense before version 19.1.8, and pfsense before 2.4.4-p3 allows remote authenticated users to escalate privileges to administrator via a specially crafted request.

In pfSense 2.4.4_1, blocking of source IP addresses on the basis of failed HTTPS authentication is inconsistent with blocking of source IP addresses on the basis of failed SSH authentication (the behavior does not match the sshguard documentation)
CVE-2018-20799 - March 01, 2019

In pfSense 2.4.4_1, blocking of source IP addresses on the basis of failed HTTPS authentication is inconsistent with blocking of source IP addresses on the basis of failed SSH authentication (the behavior does not match the sshguard documentation), which might make it easier for attackers to bypass intended access restrictions.

The expiretable configuration in pfSense 2.4.4_1 establishes block durations
CVE-2018-20798 - March 01, 2019

The expiretable configuration in pfSense 2.4.4_1 establishes block durations that are incompatible with the block durations implemented by sshguard, which might make it easier for attackers to bypass intended access restrictions.

An exploitable command injection vulnerability exists in the way Netgate pfSense CE 2.4.4-RELEASE processes the parameters of a specific POST request
CVE-2018-4019 7.2 - High - December 03, 2018

An exploitable command injection vulnerability exists in the way Netgate pfSense CE 2.4.4-RELEASE processes the parameters of a specific POST request. The attacker can exploit this and gain the ability to execute arbitrary commands on the system. An attacker needs to be able to send authenticated POST requests to the administration web interface. Command injection is possible in the `powerd_normal_mode` parameter.

Shell injection

An exploitable command injection vulnerability exists in the way Netgate pfSense CE 2.4.4-RELEASE processes the parameters of a specific POST request
CVE-2018-4021 7.2 - High - December 03, 2018

An exploitable command injection vulnerability exists in the way Netgate pfSense CE 2.4.4-RELEASE processes the parameters of a specific POST request. The attacker can exploit this and gain the ability to execute arbitrary commands on the system. An attacker needs to be able to send authenticated POST requests to the administration web interface. Command injection is possible in the `powerd_battery_mode` POST parameter.

Shell injection

An exploitable command injection vulnerability exists in the way Netgate pfSense CE 2.4.4-RELEASE processes the parameters of a specific POST request
CVE-2018-4020 7.2 - High - December 03, 2018

An exploitable command injection vulnerability exists in the way Netgate pfSense CE 2.4.4-RELEASE processes the parameters of a specific POST request. The attacker can exploit this and gain the ability to execute arbitrary commands on the system. An attacker needs to be able to send authenticated POST requests to the administration web interface. Command injection is possible in the `powerd_ac_mode` POST parameter parameter.

Shell injection

An authenticated command injection vulnerability exists in status_interfaces.php
CVE-2018-16055 8.8 - High - September 26, 2018

An authenticated command injection vulnerability exists in status_interfaces.php via dhcp_relinquish_lease() in pfSense before 2.4.4 due to its passing user input from the $_POST parameters "ifdescr" and "ipv" to a shell without escaping the contents of the variables. This allows an authenticated WebGUI user with privileges for the affected page to execute commands in the context of the root user when submitting a request to relinquish a DHCP lease for an interface which is configured to obtain its address via DHCP.

Shell injection