pfSense pfSense Open source firewall, router and vpn based on FreeBSD

  1. Vendors
  2. pfSense

Don't miss out!

Thousands of developers use stack.watch to stay informed.
Get an email whenever new security vulnerabilities are reported in any pfSense product.

RSS Feeds for pfSense security vulnerabilities

Create a CVE RSS feed including security vulnerabilities found in pfSense products with stack.watch. Just hit watch, then grab your custom RSS feed url.

Products by pfSense Sorted by Most Security Vulnerabilities since 2018

pfSense13 vulnerabilities

pfSense Pfblockerng1 vulnerability

Pfsense Pkg Freeradius31 vulnerability

Pfsense Pkg Wireguard1 vulnerability

Pfsense Plus1 vulnerability

pfSense Suricata Package1 vulnerability

By the Year

In 2026 there have been 0 vulnerabilities in pfSense. pfSense did not have any published security vulnerabilities last year.




Year Vulnerabilities Average Score
2026 0 0.00
2025 0 0.00
2024 0 0.00
2023 5 7.84
2022 6 7.46
2021 4 5.75
2020 0 0.00
2019 1 0.00

It may take a day or so for new pfSense vulnerabilities to show up in the stats or in the list of recent security vulnerabilities. Additionally vulnerabilities may be tagged under a different product or component name.

Recent pfSense Security Vulnerabilities

CVE Date Vulnerability Products
CVE-2023-29975 Nov 09, 2023
Pfsense CE 2.6.0: Auth Bypass, Unauthenticated Password Reset (CVE-2023-29975) An issue discovered in Pfsense CE version 2.6.0 allows attackers to change the password of any user without verification.
Pfsense
CVE-2023-29974 Nov 08, 2023
Pfsense CE 2.6.0 Weak PW Requirements Let Attackers Compromise User Accounts An issue discovered in Pfsense CE version 2.6.0 allows attackers to compromise user accounts via weak password requirements.
Pfsense
CVE-2023-29973 Oct 25, 2023
Pfsense CE 2.6.0: No rate limit allows malicious user creation Pfsense CE version 2.6.0 is vulnerable to No rate limit which can lead to an attacker creating multiple malicious users in firewall.
Pfsense
CVE-2020-19678 Apr 06, 2023
Directory Traversal in Pfsense 2.1.3 & Suricata 1.4.6 suricata_logs_browser.php Directory Traversal vulnerability found in Pfsense v.2.1.3 and Pfsense Suricata v.1.4.6 pkg v.1.0.1 allows a remote attacker to obtain sensitive information via the file parameter to suricata/suricata_logs_browser.php.
Suricata Package
Pfsense
CVE-2023-27100 Mar 22, 2023
SSHGuard BruteForce Bypass in pfSense v22.05.1 & CE v2.6.0 Improper restriction of excessive authentication attempts in the SSHGuard component of Netgate pfSense Plus software v22.05.1 and pfSense CE software v2.6.0 allows attackers to bypass brute force protection mechanisms via crafted web requests.
Pfsense
CVE-2022-40624 Dec 20, 2022
pfBlockerNG <=2.1.4_27 Remote Exec via Host Header in pfSense pfSense pfBlockerNG through 2.1.4_27 allows remote attackers to execute arbitrary OS commands as root via the HTTP Host header, a different vulnerability than CVE-2022-31814.
Pfblockerng
CVE-2022-42247 Oct 03, 2022
pfSense 2.5.2 XSS in browser.php via crafted file name pfSense v2.5.2 was discovered to contain a cross-site scripting (XSS) vulnerability in the browser.php component. This vulnerability allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into a file name.
Pfsense
CVE-2021-20729 Mar 31, 2022
Cross-site scripting vulnerability in pfSense CE and pfSense Plus (pfSense CE software versions 2.5.2 and earlier, and pfSense Plus software versions 21.05 and earlier) Cross-site scripting vulnerability in pfSense CE and pfSense Plus (pfSense CE software versions 2.5.2 and earlier, and pfSense Plus software versions 21.05 and earlier) allows a remote attacker to inject an arbitrary script via a malicious URL.
Pfsense
CVE-2022-21132 Mar 10, 2022
Directory traversal vulnerability in pfSense-pkg-WireGuard pfSense-pkg-WireGuard 0.1.5 versions prior to 0.1.5_4 and pfSense-pkg-WireGuard 0.1.6 versions prior to 0.1.6_1 Directory traversal vulnerability in pfSense-pkg-WireGuard pfSense-pkg-WireGuard 0.1.5 versions prior to 0.1.5_4 and pfSense-pkg-WireGuard 0.1.6 versions prior to 0.1.6_1 allows a remote authenticated attacker to lead a pfSense user to view a file outside the public folder.
Pfsense Pkg Wireguard
CVE-2021-41282 Mar 01, 2022
diag_routes.php in pfSense 2.5.2 allows sed data injection diag_routes.php in pfSense 2.5.2 allows sed data injection. Authenticated users are intended to be able to view data about the routes set in the firewall. The data is retrieved by executing the netstat utility, and then its output is parsed via the sed utility. Although the common protection mechanisms against command injection (i.e., the usage of the escapeshellarg function for the arguments) are used, it is still possible to inject sed-specific code and write an arbitrary file in an arbitrary location.
Pfsense
CVE-2022-23993 Jan 26, 2022
/usr/local/www/pkg.php in pfSense CE before 2.6.0 and pfSense Plus before 22.01 uses $_REQUEST['pkg_filter'] in a PHP echo call /usr/local/www/pkg.php in pfSense CE before 2.6.0 and pfSense Plus before 22.01 uses $_REQUEST['pkg_filter'] in a PHP echo call, causing XSS.
Pfsense
Pfsense Plus
CVE-2020-19203 Jul 12, 2021
An authenticated Cross-Site Scripting (XSS) vulnerability was found in widgets/widgets/wake_on_lan_widget.php An authenticated Cross-Site Scripting (XSS) vulnerability was found in widgets/widgets/wake_on_lan_widget.php, a component of the pfSense software WebGUI, on version 2.4.4-p2 and earlier. The widget did not encode the descr (description) parameter of wake-on-LAN entries in its output, leading to a possible stored XSS.
Pfsense
CVE-2020-19201 Jul 12, 2021
A Stored Cross-Site Scripting (XSS) vulnerability was found in status_filter_reload.php A Stored Cross-Site Scripting (XSS) vulnerability was found in status_filter_reload.php, a page in the pfSense software WebGUI, on Netgate pfSense version 2.4.4-p2 and earlier. The page did not encode output from the filter reload process, and a stored XSS was possible via the descr (description) parameter on NAT rules.
Pfsense
CVE-2020-26693 Jun 01, 2021
A stored cross-site scripting (XSS) vulnerability was discovered in pfSense 2.4.5-p1 which A stored cross-site scripting (XSS) vulnerability was discovered in pfSense 2.4.5-p1 which allows an authenticated attacker to execute arbitrary web scripts via exploitation of the load_balancer_monitor.php function.
Pfsense
CVE-2021-27933 Apr 28, 2021
pfSense 2.5.0 allows XSS pfSense 2.5.0 allows XSS via the services_wol_edit.php Description field.
Pfsense
CVE-2019-18667 Nov 02, 2019
/usr/local/www/freeradius_view_config.php in the freeradius3 package before 0.15.7_3 for pfSense on FreeBSD /usr/local/www/freeradius_view_config.php in the freeradius3 package before 0.15.7_3 for pfSense on FreeBSD allows a user with an XSS payload as password or username to execute arbitrary javascript code on a victim browser.
Pfsense Pkg Freeradius3
Built by Foundeo Inc., with data from the National Vulnerability Database (NVD). Privacy Policy. Use of this site is governed by the Legal Terms
Disclaimer
CONTENT ON THIS WEBSITE IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. Always check with your vendor for the most up to date, and accurate information.