Opnsense

OPNsense 19.1 Reflected XSS via system_advanced_sysctl.php
CVE-2019-25377 5.4 - Medium - February 15, 2026

OPNsense 19.1 contains a reflected cross-site scripting vulnerability in the system_advanced_sysctl.php endpoint that allows attackers to inject malicious scripts via the value parameter. Attackers can craft POST requests with script payloads in the value parameter to execute JavaScript in the context of authenticated user sessions.

XSS

OPNsense 19.1: Reflected XSS via ignoreLogACL (CVE-2019-25376)
CVE-2019-25376 6.1 - Medium - February 15, 2026

OPNsense 19.1 contains a reflected cross-site scripting vulnerability that allows unauthenticated attackers to inject malicious scripts by submitting crafted payloads through the ignoreLogACL parameter. Attackers can send POST requests to the proxy endpoint with JavaScript code in the ignoreLogACL parameter to execute arbitrary scripts in users' browsers.

XSS

OPNsense 19.1 Reflected XSS via mailserver param in monit
CVE-2019-25375 6.1 - Medium - February 15, 2026

OPNsense 19.1 contains a reflected cross-site scripting vulnerability that allows unauthenticated attackers to inject malicious scripts by submitting crafted input to the mailserver parameter. Attackers can send POST requests to the monit interface with JavaScript payloads in the mailserver parameter to execute arbitrary code in users' browsers.

XSS

OPNsense 19.1 XSS via passthrough_networks in vpn_ipsec_settings
CVE-2019-25374 6.1 - Medium - February 15, 2026

OPNsense 19.1 contains a reflected cross-site scripting vulnerability that allows attackers to inject malicious scripts by exploiting the passthrough_networks parameter in vpn_ipsec_settings.php. Attackers can craft POST requests with JavaScript payloads in the passthrough_networks parameter to execute arbitrary code in users' browsers.

XSS

OPNsense 19.1 Stored XSS via category param in firewall_rules_edit.php
CVE-2019-25373 6.4 - Medium - February 15, 2026

OPNsense 19.1 contains a stored cross-site scripting vulnerability that allows authenticated attackers to inject malicious scripts by submitting crafted input to the category parameter. Attackers can send POST requests to firewall_rules_edit.php with script payloads in the category field to execute arbitrary JavaScript in the browsers of other users accessing firewall rule pages.

XSS

OPNsense 19.1 XSS via host param in diag_traceroute.php exploitable without auth
CVE-2019-25372 6.1 - Medium - February 15, 2026

OPNsense 19.1 contains a reflected cross-site scripting vulnerability that allows unauthenticated attackers to inject malicious scripts by exploiting insufficient input validation in the host parameter. Attackers can submit crafted payloads through POST requests to diag_traceroute.php to execute arbitrary JavaScript in the context of a user's browser session.

XSS

OPNsense 19.1 Reflected XSS via host param in diag_ping.php
CVE-2019-25371 6.1 - Medium - February 15, 2026

OPNsense 19.1 contains a reflected cross-site scripting vulnerability that allows unauthenticated attackers to inject malicious scripts by exploiting insufficient input validation in the host parameter. Attackers can submit crafted POST requests to the diag_ping.php endpoint with script payloads in the host parameter to execute arbitrary JavaScript in users' browsers.

XSS

Reflected XSS in OPNsense 19.1 interfaces_vlan_edit.php
CVE-2019-25370 6.1 - Medium - February 15, 2026

OPNsense 19.1 contains a reflected cross-site scripting vulnerability that allows attackers to inject malicious scripts by submitting crafted input through multiple parameters. Attackers can send POST requests to interfaces_vlan_edit.php with script payloads in the tag, descr, or vlanif parameters to execute arbitrary JavaScript in users' browsers.

XSS

OPNsense 19.1 XSS via tunable param in system_advanced_sysctl.php
CVE-2019-25369 6.4 - Medium - February 15, 2026

OPNsense 19.1 contains a stored cross-site scripting vulnerability in the system_advanced_sysctl.php endpoint that allows attackers to inject persistent malicious scripts via the tunable parameter. Attackers can submit POST requests with script payloads that are stored and executed in the context of authenticated user sessions when the page is viewed.

XSS

OPNsense 19.1 diag_backup.php XSS via GDrive/Nextcloud params
CVE-2019-25368 5.4 - Medium - February 15, 2026

OPNsense 19.1 contains multiple cross-site scripting vulnerabilities in the diag_backup.php endpoint that allow attackers to inject malicious scripts through multiple parameters including GDrive_GDriveEmail, GDrive_GDriveFolderID, GDrive_GDriveBackupCount, Nextcloud_url, Nextcloud_user, Nextcloud_password, Nextcloud_password_encryption, and Nextcloud_backupdir. Attackers can submit POST requests with script payloads in these parameters to execute arbitrary JavaScript in the context of authenticated administrator sessions.

XSS

OPNsense <=25.7.3 XSS via unsanitized ptpid in PPP Interface
CVE-2025-34182 - October 01, 2025

In Deciso OPNsense before 25.7.4, when creating an "Interfaces: Devices: Point-to-Point" entry, the value of the parameter ptpid is not sanitized of HTML-related characters/strings. This value is directly displayed when visiting the page/interfaces_assign.php, which can result in stored cross-site scripting. The attacker must be authenticated with at-least "Interfaces: PPPs: Edit" permission. This vulnerability has been addressed by the vendor in the product release notes as "ui: legacy_html_escape_form_data() was not escaping keys only data elements."

XSS

OPNsense <25.1.8: Bridge Edit cmd injection RCE
CVE-2025-50989 8.8 - High - August 27, 2025

OPNsense before 25.1.8 contains an authenticated command injection vulnerability in its Bridge Interface Edit endpoint (interfaces_bridge_edit.php). The span POST parameter is concatenated into a system-level command without proper sanitization or escaping, allowing an administrator to inject arbitrary shell operators and payloads. Successful exploitation results in remote code execution with the privileges of the web service (typically root), potentially leading to full system compromise or lateral movement. This vulnerability arises from inadequate input validation and improper handling of user-supplied data in backend command invocations.

Shell injection

OPNsense 23.1 Auth Rate Limit Bypass Allowing Brute-Force (CVE-2023-27152)
CVE-2023-27152 9.8 - Critical - October 23, 2023

DECISO OPNsense 23.1 does not impose rate limits for authentication, allowing attackers to perform a brute-force attack to bypass authentication.

Improper Restriction of Excessive Authentication Attempts

OPNsense <23.7.5 XSS via index.php column_count in Lobby Dashboard
CVE-2023-44275 5.4 - Medium - September 28, 2023

OPNsense before 23.7.5 allows XSS via the index.php column_count parameter to the Lobby Dashboard.

XSS

OPNsense <=23.7.4 XSS via Lobby Dashboard index.php
CVE-2023-44276 5.4 - Medium - September 28, 2023

OPNsense before 23.7.5 allows XSS via the index.php sequence parameter to the Lobby Dashboard.

XSS

OPNsense CE/BE /tmp permission flaw in pre-23.7 / pre-23.4.2
CVE-2023-39003 7.5 - High - August 09, 2023

OPNsense Community Edition before 23.7 and Business Edition before 23.4.2 was discovered to contain insecure permissions in the directory /tmp.

Incorrect Permission Assignment for Critical Resource

OPNsense <23.7/23.4.2: Insecure /conf/ Permissions Priv Escal
CVE-2023-39004 9.8 - Critical - August 09, 2023

Insecure permissions in the configuration directory (/conf/) of OPNsense Community Edition before 23.7 and Business Edition before 23.4.2 allow attackers to access sensitive information (e.g., hashed root password) which could lead to privilege escalation.

Incorrect Permission Assignment for Critical Resource

OPNsense configd.socket insecure permissions before 23.7/23.4.2
CVE-2023-39005 7.5 - High - August 09, 2023

Insecure permissions exist for configd.socket in OPNsense Community Edition before 23.7 and Business Edition before 23.4.2.

Incorrect Permission Assignment for Critical Resource

OPNsense Directory Traversal via Zip in Captive Portal Templates (CE <23.7)
CVE-2023-38997 7.2 - High - August 09, 2023

A directory traversal vulnerability in the Captive Portal templates of OPNsense Community Edition before 23.7 and Business Edition before 23.4.2 allows attackers to execute arbitrary system commands as root via a crafted ZIP archive.

Directory traversal

OPNsense Open Redirect in Login Page before 23.7/23.4.2
CVE-2023-38998 6.1 - Medium - August 09, 2023

An open redirect in the Login page of OPNsense Community Edition before 23.7 and Business Edition before 23.4.2 allows attackers to redirect a victim user to an arbitrary web site via a crafted URL.

Open Redirect

OPNsense CSRF DoS via System Halt API before 23.7
CVE-2023-38999 6.5 - Medium - August 09, 2023

A Cross-Site Request Forgery (CSRF) in the System Halt API (/system/halt) of OPNsense Community Edition before 23.7 and Business Edition before 23.4.2 allows attackers to cause a Denial of Service (DoS) via a crafted GET request.

Session Riding

OPNsense Reflected XSS in /ui/diagnostics/log/core/ before 23.7/23.4.2
CVE-2023-39000 6.1 - Medium - August 09, 2023

A reflected cross-site scripting (XSS) vulnerability in the component /ui/diagnostics/log/core/ of OPNsense Community Edition before 23.7 and Business Edition before 23.4.2 allows attackers to inject arbitrary JavaScript via the URL path.

XSS

Command Injection in OPNsense CE diag_backup.php <23.7
CVE-2023-39001 9.8 - Critical - August 09, 2023

A command injection vulnerability in the component diag_backup.php of OPNsense Community Edition before 23.7 and Business Edition before 23.4.2 allows attackers to execute arbitrary commands via a crafted backup configuration file.

Command Injection

XSS in act param system_certmanager.php OPNsense <23.7/23.4.2
CVE-2023-39002 6.1 - Medium - August 09, 2023

A cross-site scripting (XSS) vulnerability in the act parameter of system_certmanager.php in OPNsense Community Edition before 23.7 and Business Edition before 23.4.2 allows attackers to execute arbitrary web scripts or HTML via a crafted payload.

XSS

OPNsense Crash Reporter Input Sanitization Vulnerability (23.7/23.4.2)
CVE-2023-39006 5.4 - Medium - August 09, 2023

The Crash Reporter (crash_reporter.php) component of OPNsense Community Edition before 23.7 and Business Edition before 23.4.2 mishandles input sanitization.

XSS

Command Injection OPNsense /api/cron/settings/setJob/ (CE<23.7, BE<23.4.2)
CVE-2023-39008 9.8 - Critical - August 09, 2023

A command injection vulnerability in the component /api/cron/settings/setJob/ of OPNsense Community Edition before 23.7 and Business Edition before 23.4.2 allows attackers to execute arbitrary system commands.

Command Injection

OPNsense CC XSS via Cron openAction <23.7 (<23.4.2)
CVE-2023-39007 9.6 - Critical - August 09, 2023

/ui/cron/item/open in the Cron component of OPNsense Community Edition before 23.7 and Business Edition before 23.4.2 allows XSS via openAction in app/controllers/OPNsense/Cron/ItemController.php.

XSS

A Cross-site scripting (XSS) vulnerability was discovered in OPNsense before 21.7.4
CVE-2021-42770 6.1 - Medium - November 08, 2021

A Cross-site scripting (XSS) vulnerability was discovered in OPNsense before 21.7.4 via the LDAP attribute return in the authentication tester.

XSS

An open redirect issue was discovered in OPNsense through 20.1.5
CVE-2020-23015 6.1 - Medium - May 03, 2021

An open redirect issue was discovered in OPNsense through 20.1.5. The redirect parameter "url" in login page was not filtered and can redirect user to any website.

Open Redirect

OPNsense 18.7.x before 18.7.7 has Incorrect Access Control.
CVE-2018-18958 6.5 - Medium - June 17, 2019

OPNsense 18.7.x before 18.7.7 has Incorrect Access Control.

Authorization

Incorrect access control in the WebUI in OPNsense before version 19.1.8, and pfsense before 2.4.4-p3
CVE-2019-11816 7.2 - High - May 20, 2019

Incorrect access control in the WebUI in OPNsense before version 19.1.8, and pfsense before 2.4.4-p3 allows remote authenticated users to escalate privileges to administrator via a specially crafted request.