pfSense
Don't miss out!
Thousands of developers use stack.watch to stay informed.Get an email whenever new security vulnerabilities are reported in pfSense.
By the Year
In 2026 there have been 0 vulnerabilities in pfSense. Pfsense did not have any published security vulnerabilities last year.
| Year | Vulnerabilities | Average Score |
|---|---|---|
| 2026 | 0 | 0.00 |
| 2025 | 0 | 0.00 |
| 2024 | 0 | 0.00 |
| 2023 | 5 | 7.84 |
| 2022 | 4 | 7.00 |
| 2021 | 4 | 5.75 |
It may take a day or so for new Pfsense vulnerabilities to show up in the stats or in the list of recent security vulnerabilities. Additionally vulnerabilities may be tagged under a different product or component name.
Recent pfSense Security Vulnerabilities
Pfsense CE 2.6.0: Auth Bypass, Unauthenticated Password Reset (CVE-2023-29975)
CVE-2023-29975
7.2 - High
- November 09, 2023
An issue discovered in Pfsense CE version 2.6.0 allows attackers to change the password of any user without verification.
authentification
Pfsense CE 2.6.0 Weak PW Requirements Let Attackers Compromise User Accounts
CVE-2023-29974
9.8 - Critical
- November 08, 2023
An issue discovered in Pfsense CE version 2.6.0 allows attackers to compromise user accounts via weak password requirements.
Weak Password Requirements
Pfsense CE 2.6.0: No rate limit allows malicious user creation
CVE-2023-29973
4.9 - Medium
- October 25, 2023
Pfsense CE version 2.6.0 is vulnerable to No rate limit which can lead to an attacker creating multiple malicious users in firewall.
Allocation of Resources Without Limits or Throttling
Directory Traversal in Pfsense 2.1.3 & Suricata 1.4.6 suricata_logs_browser.php
CVE-2020-19678
7.5 - High
- April 06, 2023
Directory Traversal vulnerability found in Pfsense v.2.1.3 and Pfsense Suricata v.1.4.6 pkg v.1.0.1 allows a remote attacker to obtain sensitive information via the file parameter to suricata/suricata_logs_browser.php.
Directory traversal
SSHGuard BruteForce Bypass in pfSense v22.05.1 & CE v2.6.0
CVE-2023-27100
9.8 - Critical
- March 22, 2023
Improper restriction of excessive authentication attempts in the SSHGuard component of Netgate pfSense Plus software v22.05.1 and pfSense CE software v2.6.0 allows attackers to bypass brute force protection mechanisms via crafted web requests.
Improper Restriction of Excessive Authentication Attempts
pfSense 2.5.2 XSS in browser.php via crafted file name
CVE-2022-42247
6.1 - Medium
- October 03, 2022
pfSense v2.5.2 was discovered to contain a cross-site scripting (XSS) vulnerability in the browser.php component. This vulnerability allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into a file name.
XSS
Cross-site scripting vulnerability in pfSense CE and pfSense Plus (pfSense CE software versions 2.5.2 and earlier, and pfSense Plus software versions 21.05 and earlier)
CVE-2021-20729
- March 31, 2022
Cross-site scripting vulnerability in pfSense CE and pfSense Plus (pfSense CE software versions 2.5.2 and earlier, and pfSense Plus software versions 21.05 and earlier) allows a remote attacker to inject an arbitrary script via a malicious URL.
diag_routes.php in pfSense 2.5.2 allows sed data injection
CVE-2021-41282
8.8 - High
- March 01, 2022
diag_routes.php in pfSense 2.5.2 allows sed data injection. Authenticated users are intended to be able to view data about the routes set in the firewall. The data is retrieved by executing the netstat utility, and then its output is parsed via the sed utility. Although the common protection mechanisms against command injection (i.e., the usage of the escapeshellarg function for the arguments) are used, it is still possible to inject sed-specific code and write an arbitrary file in an arbitrary location.
Injection
/usr/local/www/pkg.php in pfSense CE before 2.6.0 and pfSense Plus before 22.01 uses $_REQUEST['pkg_filter'] in a PHP echo call
CVE-2022-23993
6.1 - Medium
- January 26, 2022
/usr/local/www/pkg.php in pfSense CE before 2.6.0 and pfSense Plus before 22.01 uses $_REQUEST['pkg_filter'] in a PHP echo call, causing XSS.
XSS
An authenticated Cross-Site Scripting (XSS) vulnerability was found in widgets/widgets/wake_on_lan_widget.php
CVE-2020-19203
- July 12, 2021
An authenticated Cross-Site Scripting (XSS) vulnerability was found in widgets/widgets/wake_on_lan_widget.php, a component of the pfSense software WebGUI, on version 2.4.4-p2 and earlier. The widget did not encode the descr (description) parameter of wake-on-LAN entries in its output, leading to a possible stored XSS.
A Stored Cross-Site Scripting (XSS) vulnerability was found in status_filter_reload.php
CVE-2020-19201
- July 12, 2021
A Stored Cross-Site Scripting (XSS) vulnerability was found in status_filter_reload.php, a page in the pfSense software WebGUI, on Netgate pfSense version 2.4.4-p2 and earlier. The page did not encode output from the filter reload process, and a stored XSS was possible via the descr (description) parameter on NAT rules.
A stored cross-site scripting (XSS) vulnerability was discovered in pfSense 2.4.5-p1 which
CVE-2020-26693
5.4 - Medium
- June 01, 2021
A stored cross-site scripting (XSS) vulnerability was discovered in pfSense 2.4.5-p1 which allows an authenticated attacker to execute arbitrary web scripts via exploitation of the load_balancer_monitor.php function.
XSS
pfSense 2.5.0 allows XSS
CVE-2021-27933
6.1 - Medium
- April 28, 2021
pfSense 2.5.0 allows XSS via the services_wol_edit.php Description field.
XSS
