Aggregates CVE and security vulnerability intelligence across all opnsense-related products, including CVSS, EPSS, publication dates, and vulnerability intelligence data.
Historical issues mainly involve vendor risk cross-site scripting, vendor risk csrf, vendor risk open redirect, and vendor risk path handling and related problems; some flaws may lead to vendor impact session compromise.
| CVE | Summary | Source | Max CVSS | EPSS % | Published | Updated |
|---|---|---|---|---|---|---|
| CVE-2026-45158 | OPNsense is a FreeBSD based firewall and routing platform. Prior to 26.1.8, unsanitized user input is passed to the DHCP configuration of the configured interface, which is processed by a shell script, allowing remote code execution as root on the underlying operating system. This vulnerability is fixed in 26.1.8. | [email protected] | 9.1 | 0.53% | 2026-05-13 | 2026-05-15 |
| CVE-2026-44195 | OPNsense is a FreeBSD based firewall and routing platform. Prior to 26.1.7, a logic flaw in the OPNsense lockout_handler allows an unauthenticated attacker to continuously reset the authentication failure counter for their IP address. By interjecting a crafted username containing a success keyword ("Accepted" or "Successful login") between normal brute-force attempts, an attacker can prevent the failure counter from ever reaching the lockout threshold. This vulnerability is fixed in 26.1.7. | [email protected] | 5.3 | 0.32% | 2026-05-13 | 2026-05-15 |
| CVE-2026-44194 | OPNsense is a FreeBSD based firewall and routing platform. Prior to 26.1.8, an authenticated Remote Code Execution (RCE) vulnerability in the OPNsense core allows a user with user-management privileges to execute arbitrary system commands as root. An attacker can bypass input validation by formatting their malicious payload as a compliant email address, allowing shell commands to reach the underlying operating system. The flaw exists in the local user synchronization flow, within core/src/opnsen | [email protected] | 9.1 | 6.35% | 2026-05-13 | 2026-05-15 |
| CVE-2026-44193 | OPNsense is a FreeBSD based firewall and routing platform. Prior to 26.1.7, the XMLRPC method opnsense.restore_config_section fails to sanitize user supplied input leading to Remote Code Execution. This vulnerability is fixed in 26.1.7. | [email protected] | 9.1 | 0.69% | 2026-05-13 | 2026-05-15 |
| CVE-2026-34578 | OPNsense is a FreeBSD based firewall and routing platform. Prior to 26.1.6, OPNsense's LDAP authentication connector passes the login username directly into an LDAP search filter without calling ldap_escape(). An unauthenticated attacker can inject LDAP filter metacharacters into the username field of the WebGUI login page to enumerate valid LDAP usernames in the configured directory. When the LDAP server configuration includes an Extended Query to restrict login to members of a specific group, | [email protected] | 8.2 | 0.41% | 2026-04-09 | 2026-04-14 |
| CVE-2026-30868 | OPNsense is a FreeBSD based firewall and routing platform. Prior to 26.1.4, multiple OPNsense MVC API endpoints perform state‑changing operations but are accessible via HTTP GET requests without CSRF protection. The framework CSRF validation in ApiControllerBase only applies to POST/PUT/DELETE methods, allowing authenticated GET requests to bypass CSRF verification. As a result, a malicious website can trigger privileged backend actions when visited by an authenticated user, causing unintended s | [email protected] | 6.3 | 0.14% | 2026-03-11 | 2026-03-17 |
| CVE-2019-25377 | OPNsense 19.1 contains a reflected cross-site scripting vulnerability in the system_advanced_sysctl.php endpoint that allows attackers to inject malicious scripts via the value parameter. Attackers can craft POST requests with script payloads in the value parameter to execute JavaScript in the context of authenticated user sessions. | [email protected] | 4.8 | 0.24% | 2026-02-15 | 2026-02-18 |
| CVE-2019-25376 | OPNsense 19.1 contains a reflected cross-site scripting vulnerability that allows unauthenticated attackers to inject malicious scripts by submitting crafted payloads through the ignoreLogACL parameter. Attackers can send POST requests to the proxy endpoint with JavaScript code in the ignoreLogACL parameter to execute arbitrary scripts in users' browsers. | [email protected] | 5.1 | 0.36% | 2026-02-15 | 2026-02-18 |
| CVE-2019-25375 | OPNsense 19.1 contains a reflected cross-site scripting vulnerability that allows unauthenticated attackers to inject malicious scripts by submitting crafted input to the mailserver parameter. Attackers can send POST requests to the monit interface with JavaScript payloads in the mailserver parameter to execute arbitrary code in users' browsers. | [email protected] | 5.1 | 0.36% | 2026-02-15 | 2026-02-18 |
| CVE-2019-25374 | OPNsense 19.1 contains a reflected cross-site scripting vulnerability that allows attackers to inject malicious scripts by exploiting the passthrough_networks parameter in vpn_ipsec_settings.php. Attackers can craft POST requests with JavaScript payloads in the passthrough_networks parameter to execute arbitrary code in users' browsers. | [email protected] | 5.1 | 0.32% | 2026-02-15 | 2026-02-18 |
| CVE-2019-25373 | OPNsense 19.1 contains a stored cross-site scripting vulnerability that allows authenticated attackers to inject malicious scripts by submitting crafted input to the category parameter. Attackers can send POST requests to firewall_rules_edit.php with script payloads in the category field to execute arbitrary JavaScript in the browsers of other users accessing firewall rule pages. | [email protected] | 5.1 | 0.20% | 2026-02-15 | 2026-02-18 |
| CVE-2019-25372 | OPNsense 19.1 contains a reflected cross-site scripting vulnerability that allows unauthenticated attackers to inject malicious scripts by exploiting insufficient input validation in the host parameter. Attackers can submit crafted payloads through POST requests to diag_traceroute.php to execute arbitrary JavaScript in the context of a user's browser session. | [email protected] | 5.1 | 0.24% | 2026-02-15 | 2026-02-18 |
| CVE-2019-25371 | OPNsense 19.1 contains a reflected cross-site scripting vulnerability that allows unauthenticated attackers to inject malicious scripts by exploiting insufficient input validation in the host parameter. Attackers can submit crafted POST requests to the diag_ping.php endpoint with script payloads in the host parameter to execute arbitrary JavaScript in users' browsers. | [email protected] | 5.1 | 0.24% | 2026-02-15 | 2026-02-18 |
| CVE-2019-25370 | OPNsense 19.1 contains a reflected cross-site scripting vulnerability that allows attackers to inject malicious scripts by submitting crafted input through multiple parameters. Attackers can send POST requests to interfaces_vlan_edit.php with script payloads in the tag, descr, or vlanif parameters to execute arbitrary JavaScript in users' browsers. | [email protected] | 5.1 | 0.23% | 2026-02-15 | 2026-02-18 |
| CVE-2019-25369 | OPNsense 19.1 contains a stored cross-site scripting vulnerability in the system_advanced_sysctl.php endpoint that allows attackers to inject persistent malicious scripts via the tunable parameter. Attackers can submit POST requests with script payloads that are stored and executed in the context of authenticated user sessions when the page is viewed. | [email protected] | 5.1 | 0.20% | 2026-02-15 | 2026-02-18 |
| CVE-2019-25368 | OPNsense 19.1 contains multiple cross-site scripting vulnerabilities in the diag_backup.php endpoint that allow attackers to inject malicious scripts through multiple parameters including GDrive_GDriveEmail, GDrive_GDriveFolderID, GDrive_GDriveBackupCount, Nextcloud_url, Nextcloud_user, Nextcloud_password, Nextcloud_password_encryption, and Nextcloud_backupdir. Attackers can submit POST requests with script payloads in these parameters to execute arbitrary JavaScript in the context of authentica | [email protected] | 4.8 | 0.13% | 2026-02-15 | 2026-02-18 |
| CVE-2025-50989 | OPNsense before 25.1.8 contains an authenticated command injection vulnerability in its Bridge Interface Edit endpoint (interfaces_bridge_edit.php). The span POST parameter is concatenated into a system-level command without proper sanitization or escaping, allowing an administrator to inject arbitrary shell operators and payloads. Successful exploitation results in remote code execution with the privileges of the web service (typically root), potentially leading to full system compromise or lat | [email protected] | 9.1 | 7.98% | 2025-08-27 | 2025-09-26 |
| CVE-2023-27152 | DECISO OPNsense 23.1 does not impose rate limits for authentication, allowing attackers to perform a brute-force attack to bypass authentication. | [email protected] | 9.8 | 0.89% | 2023-10-23 | 2024-11-21 |
| CVE-2023-44276 | OPNsense before 23.7.5 allows XSS via the index.php sequence parameter to the Lobby Dashboard. | [email protected] | 5.4 | 0.50% | 2023-09-28 | 2024-11-21 |
| CVE-2023-44275 | OPNsense before 23.7.5 allows XSS via the index.php column_count parameter to the Lobby Dashboard. | [email protected] | 5.4 | 0.50% | 2023-09-28 | 2024-11-21 |