Stored-XSS in pfSense CE Status Traffic Totals Page via unsanitized start-day
CVE-2025-34174 Published on September 9, 2025
Netgate pfSense CE Status_Traffic_Totals Package v2.3.2_7 Stored Cross-Site Scripting
In pfSense CE /usr/local/www/status_traffic_totals.php, the value of the start-day parameter is not ensured to be a numeric value or sanitized of HTML-related characters/strings before being directly displayed in the input box. This value can be saved as the default value to be displayed to all users when visiting the Status Traffic Totals page, resulting in stored cross-site scripting. The attacker must be authenticated with at least "WebCfg - Status: Traffic Totals" permissions.
Weakness Type
What is a XSS Vulnerability?
The software does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
CVE-2025-34174 has been classified to as a XSS vulnerability or weakness.
Products Associated with CVE-2025-34174
Want to know whenever a new CVE is published for Netgate products? stack.watch will email you.
Affected Versions
Netgate pfSense CE Version 2.3.2_7 is affected by CVE-2025-34174Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.