Opnsense

Remote code execution in OPNsense firewall (core versions prior to 26.1.8) allows authenticated administrators to execute arbitrary commands as root by injecting shell metacharacters into DHCP interface configuration fields that are passed unsanitized to an underlying shell script. The flaw carries a 9.1 CVSS score with scope change reflecting privilege escalation from the web UI context to OS root, though no public exploit has been identified at time of analysis and EPSS estimates only a 0.23% probability of near-term exploitation.

Brute-force lockout bypass in OPNsense prior to 26.1.7 allows unauthenticated remote attackers to indefinitely circumvent the authentication failure counter, enabling unlimited credential guessing against any network-accessible login endpoint. The flaw resides in the lockout_handler logic, which interprets attacker-controlled username strings containing the keywords 'Accepted' or 'Successful login' as success signals and resets the IP-based failure counter. A publicly available proof-of-concept exploit exists (SSVC exploitation: poc), the attack is classified as automatable with no prerequisites beyond network reach, and no active exploitation is confirmed in CISA KEV. EPSS is low at 0.03% (10th percentile), suggesting limited observed exploitation at time of analysis.

Authenticated remote code execution in OPNsense firewall versions prior to 26.1.8 allows a user with user-management privileges to execute arbitrary commands as root by smuggling shell payloads inside an email-address-formatted field processed by the local user synchronization script. Publicly available exploit code exists per SSVC, though EPSS scoring (0.13%) indicates low predicted mass exploitation; SSVC classifies technical impact as total but automation as no. No active exploitation has been confirmed in CISA KEV at time of analysis.

Remote code execution in OPNsense firewall versions prior to 26.1.7 allows authenticated high-privileged users to execute arbitrary code via the opnsense.restore_config_section XMLRPC method, which fails to sanitize user-supplied input. The flaw carries a CVSS 9.1 with scope change and total impact, and while publicly available exploit code exists per SSVC, EPSS rates real-world exploitation probability at only 0.23%, suggesting niche rather than mass-scale risk. The vendor has shipped a fix in 26.1.7 and the issue is tracked as GHSA-xxp9-93cr-x54p and EUVD-2026-30183.

OPNsense prior to version 26.1.4 contains a CSRF vulnerability where state-changing API endpoints accept HTTP GET requests without proper anti-CSRF protections, allowing authenticated users to be tricked into triggering unintended system operations. An attacker can craft a malicious website that, when visited by an authenticated OPNsense administrator, performs unauthorized configuration changes or service reloads through the vulnerable endpoints. No patch is currently available for this medium-severity vulnerability affecting OPNsense firewall deployments.

OPNsense 19.1 contains a reflected cross-site scripting vulnerability in the system_advanced_sysctl.php endpoint that allows attackers to inject malicious scripts via the value parameter. [CVSS 5.4 MEDIUM]

OPNsense 19.1 contains a reflected cross-site scripting vulnerability that allows unauthenticated attackers to inject malicious scripts by submitting crafted payloads through the ignoreLogACL parameter. [CVSS 6.1 MEDIUM]

OPNsense 19.1 contains a reflected cross-site scripting vulnerability that allows unauthenticated attackers to inject malicious scripts by submitting crafted input to the mailserver parameter. [CVSS 6.1 MEDIUM]

OPNsense 19.1 contains a reflected cross-site scripting vulnerability that allows attackers to inject malicious scripts by exploiting the passthrough_networks parameter in vpn_ipsec_settings.php. [CVSS 6.1 MEDIUM]

OPNsense 19.1 contains a stored cross-site scripting vulnerability that allows authenticated attackers to inject malicious scripts by submitting crafted input to the category parameter. [CVSS 6.4 MEDIUM]

OPNsense 19.1 contains a reflected cross-site scripting vulnerability that allows unauthenticated attackers to inject malicious scripts by exploiting insufficient input validation in the host parameter. [CVSS 6.1 MEDIUM]

OPNsense 19.1 contains a reflected cross-site scripting vulnerability that allows unauthenticated attackers to inject malicious scripts by exploiting insufficient input validation in the host parameter. [CVSS 6.1 MEDIUM]

OPNsense 19.1 contains a reflected cross-site scripting vulnerability that allows attackers to inject malicious scripts by submitting crafted input through multiple parameters. [CVSS 6.1 MEDIUM]

OPNsense 19.1 contains a stored cross-site scripting vulnerability in the system_advanced_sysctl.php endpoint that allows attackers to inject persistent malicious scripts via the tunable parameter. [CVSS 6.4 MEDIUM]

OPNsense 19.1 contains multiple cross-site scripting vulnerabilities in the diag_backup.php endpoint that allow attackers to inject malicious scripts through multiple parameters including GDrive_GDriveEmail, GDrive_GDriveFolderID, GDrive_GDriveBackupCount, Nextcloud_url, Nextcloud_user, Nextcloud_password, Nextcloud_password_encryption, and Nextcloud_backupdir. [CVSS 5.4 MEDIUM]

OPNsense before 25.1.8 contains an authenticated command injection vulnerability in its Bridge Interface Edit endpoint (interfaces_bridge_edit.php). Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.