VYPR

Pfsense

by Pfsense

Source repositories

CVEs (48)

  • CVE-2025-69691CriMay 8, 2026
    risk 0.64cvss 9.9epss 0.01

    Netgate pfSense CE 2.8.0 allows code execution in the XMLRPC API via pfsense.exec_php. NOTE: the Supplier disputes this because the API call is only available to admins and they are intentionally allowed to execute PHP code.

  • CVE-2016-10709HigJan 22, 2018
    risk 0.63cvss 8.8epss 0.34

    pfSense before 2.3 allows remote authenticated users to execute arbitrary OS commands via a '|' character in the status_rrd_graph_img.php graph parameter, related to _rrd_graph_img.php.

  • CVE-2025-69690CriMay 8, 2026
    risk 0.59cvss 9.1epss 0.01

    Netgate pfSense CE 2.7.2 allows code execution by using the module installer with a backup file with a serialized PHP object containing the post_reboot_commands property. NOTE: the Supplier disputes this because this installer is only available to admins and they are…

  • CVE-2018-16055HigSep 26, 2018
    risk 0.58cvss 8.8epss 0.11

    An authenticated command injection vulnerability exists in status_interfaces.php via dhcp_relinquish_lease() in pfSense before 2.4.4 due to its passing user input from the $_POST parameters "ifdescr" and "ipv" to a shell without escaping the contents of the variables. This…

  • CVE-2021-41282Mar 1, 2022
    risk 0.10cvss epss 0.87

    diag_routes.php in pfSense 2.5.2 allows sed data injection. Authenticated users are intended to be able to view data about the routes set in the firewall. The data is retrieved by executing the netstat utility, and then its output is parsed via the sed utility. Although the…

  • CVE-2019-12347May 29, 2019
    risk 0.08cvss epss 0.59

    In pfSense 2.4.4-p3, a stored XSS vulnerability occurs when attackers inject a payload into the Name or Description field via an acme_accountkeys_edit.php action. The vulnerability occurs due to input validation errors.

  • CVE-2015-2295Apr 10, 2015
    risk 0.08cvss epss 0.66

    Cross-site request forgery (CSRF) vulnerability in system_firmware_restorefullbackup.php in the WebGUI in pfSense before 2.2.1 allows remote attackers to hijack the authentication of administrators for requests that delete arbitrary files via the deletefile parameter.

  • CVE-2024-46538Oct 22, 2024
    risk 0.07cvss epss 0.78

    A cross-site scripting (XSS) vulnerability in pfsense v2.5.2 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the $pconfig variable at interfaces_groups_edit.php.

  • CVE-2019-16667Sep 26, 2019
    risk 0.07cvss epss 0.55

    diag_command.php in pfSense 2.4.4-p3 allows CSRF via the txtCommand or txtRecallBuffer field, as demonstrated by executing OS commands. This occurs because csrf_callback() produces a "CSRF token expired" error and a Try Again button when a CSRF token is missing.

  • CVE-2017-1000479HigJan 3, 2018
    risk 0.06cvss 8.8epss 0.33

    pfSense versions 2.4.1 and lower are vulnerable to clickjacking attacks in the CSRF error page resulting in privileged execution of arbitrary code, because the error detection occurs before an X-Frame-Options header is set. This is fixed in 2.4.2-RELEASE. OPNsense, a 2015 fork…

  • CVE-2014-4688Jul 2, 2014
    risk 0.04cvss epss 0.07

    pfSense before 2.1.4 allows remote authenticated users to execute arbitrary commands via (1) the hostname value to diag_dns.php in a Create Alias action, (2) the smartmonemail value to diag_smart.php, or (3) the database value to status_rrd_graph_img.php.

  • CVE-2010-4412Dec 7, 2010
    risk 0.03cvss epss 0.02

    Multiple cross-site scripting (XSS) vulnerabilities in pfSense 2 beta 4 allow remote attackers to inject arbitrary web script or HTML via (1) the id parameter in an olsrd.xml action to pkg_edit.php, (2) the xml parameter to pkg.php, or the if parameter to (3) status_graph.php or…

  • CVE-2010-4246Dec 7, 2010
    risk 0.03cvss epss 0.02

    Multiple cross-site scripting (XSS) vulnerabilities in graph.php in pfSense 1.2.3 and 2 beta 4 allow remote attackers to inject arbitrary web script or HTML via the (1) ifnum or (2) ifname parameter, a different vulnerability than CVE-2008-1182.

  • CVE-2015-2294Apr 1, 2015
    risk 0.02cvss epss 0.24

    Multiple cross-site scripting (XSS) vulnerabilities in the WebGUI in pfSense before 2.2.1 allow remote attackers to inject arbitrary web script or HTML via the (1) zone parameter to status_captiveportal.php; (2) if or (3) dragtable parameter to firewall_rules.php; (4) queue…

  • CVE-2025-34176Sep 9, 2025
    risk 0.01cvss epss 0.14

    In pfSense CE /suricata/suricata_ip_reputation.php, the value of the iplist parameter is not sanitized of directory traversal-related strings/characters. This value is directly used in a file existence check operation. While the contents of the file cannot be read, the server…

  • CVE-2022-29273Feb 22, 2023
    risk 0.01cvss epss 0.60

    pfSense CE through 2.6.0 and pfSense Plus before 22.05 allow XSS in the WebGUI via URL Table Alias URL parameters.

  • CVE-2019-12949Jun 25, 2019
    risk 0.01cvss epss 0.03

    In pfSense 2.4.4-p2 and 2.4.4-p3, if it is possible to trick an authenticated administrator into clicking on a button on a phishing page, an attacker can leverage XSS to upload arbitrary executable code, via diag_command.php and rrd_fetch_json.php (timePeriod parameter), to a…

  • CVE-2025-34177Sep 9, 2025
    risk 0.00cvss epss 0.01

    In pfSense CE /suricata/suricata_flow_stream.php, the value of the policy_name parameter is not sanitized of HTML-related strings/characters before being directly displayed. This can result in stored cross-site scripting. The attacker must be authenticated with at least "WebCfg…

  • CVE-2025-34173Sep 9, 2025
    risk 0.00cvss epss 0.01

    In pfSense CE /usr/local/www/snort/snort_ip_reputation.php, the value of the iplist parameter is not sanitized of directory traversal-related characters/strings before being used to check if a file exists. While the contents of the file cannot be read, the server reveals…

  • CVE-2025-34172Sep 9, 2025
    risk 0.00cvss epss 0.01

    In pfSense CE /usr/local/www/haproxy/haproxy_stats.php, the value of the showsticktablecontent parameter is displayed after being read from HTTP GET requests. This can enable reflected cross-site scripting when the victim is authenticated.

Page 1 of 3