VYPR

Opnsense

by Opnsense

Source repositories

CVEs (38)

  • CVE-2019-25368Feb 15, 2026
    risk 0.00cvss epss 0.00

    OPNsense 19.1 contains multiple cross-site scripting vulnerabilities in the diag_backup.php endpoint that allow attackers to inject malicious scripts through multiple parameters including GDrive_GDriveEmail, GDrive_GDriveFolderID, GDrive_GDriveBackupCount, Nextcloud_url,…

  • CVE-2025-50989Aug 27, 2025
    risk 0.00cvss epss 0.08

    OPNsense before 25.1.8 contains an authenticated command injection vulnerability in its Bridge Interface Edit endpoint (interfaces_bridge_edit.php). The span POST parameter is concatenated into a system-level command without proper sanitization or escaping, allowing an…

  • CVE-2023-27152Oct 23, 2023
    risk 0.00cvss epss 0.01

    DECISO OPNsense 23.1 does not impose rate limits for authentication, allowing attackers to perform a brute-force attack to bypass authentication.

  • CVE-2023-44276Sep 28, 2023
    risk 0.00cvss epss 0.01

    OPNsense before 23.7.5 allows XSS via the index.php sequence parameter to the Lobby Dashboard.

  • CVE-2023-44275Sep 28, 2023
    risk 0.00cvss epss 0.01

    OPNsense before 23.7.5 allows XSS via the index.php column_count parameter to the Lobby Dashboard.

  • CVE-2023-39006Aug 9, 2023
    risk 0.00cvss epss 0.00

    The Crash Reporter (crash_reporter.php) component of OPNsense Community Edition before 23.7 and Business Edition before 23.4.2 mishandles input sanitization.

  • CVE-2023-38997Aug 9, 2023
    risk 0.00cvss epss 0.01

    A directory traversal vulnerability in the Captive Portal templates of OPNsense Community Edition before 23.7 and Business Edition before 23.4.2 allows attackers to execute arbitrary system commands as root via a crafted ZIP archive.

  • CVE-2023-39001Aug 9, 2023
    risk 0.00cvss epss 0.03

    A command injection vulnerability in the component diag_backup.php of OPNsense Community Edition before 23.7 and Business Edition before 23.4.2 allows attackers to execute arbitrary commands via a crafted backup configuration file.

  • CVE-2023-39005Aug 9, 2023
    risk 0.00cvss epss 0.01

    Insecure permissions exist for configd.socket in OPNsense Community Edition before 23.7 and Business Edition before 23.4.2.

  • CVE-2023-39007Aug 9, 2023
    risk 0.00cvss epss 0.02

    /ui/cron/item/open in the Cron component of OPNsense Community Edition before 23.7 and Business Edition before 23.4.2 allows XSS via openAction in app/controllers/OPNsense/Cron/ItemController.php.

  • CVE-2023-39000Aug 9, 2023
    risk 0.00cvss epss 0.01

    A reflected cross-site scripting (XSS) vulnerability in the component /ui/diagnostics/log/core/ of OPNsense Community Edition before 23.7 and Business Edition before 23.4.2 allows attackers to inject arbitrary JavaScript via the URL path.

  • CVE-2023-39002Aug 9, 2023
    risk 0.00cvss epss 0.01

    A cross-site scripting (XSS) vulnerability in the act parameter of system_certmanager.php in OPNsense Community Edition before 23.7 and Business Edition before 23.4.2 allows attackers to execute arbitrary web scripts or HTML via a crafted payload.

  • CVE-2023-38998Aug 9, 2023
    risk 0.00cvss epss 0.01

    An open redirect in the Login page of OPNsense Community Edition before 23.7 and Business Edition before 23.4.2 allows attackers to redirect a victim user to an arbitrary web site via a crafted URL.

  • CVE-2023-38999Aug 9, 2023
    risk 0.00cvss epss 0.00

    A Cross-Site Request Forgery (CSRF) in the System Halt API (/system/halt) of OPNsense Community Edition before 23.7 and Business Edition before 23.4.2 allows attackers to cause a Denial of Service (DoS) via a crafted GET request.

  • CVE-2023-39008Aug 9, 2023
    risk 0.00cvss epss 0.03

    A command injection vulnerability in the component /api/cron/settings/setJob/ of OPNsense Community Edition before 23.7 and Business Edition before 23.4.2 allows attackers to execute arbitrary system commands.

  • CVE-2021-42770Nov 8, 2021
    risk 0.00cvss epss 0.01

    A Cross-site scripting (XSS) vulnerability was discovered in OPNsense before 21.7.4 via the LDAP attribute return in the authentication tester.

  • CVE-2018-18958Jun 17, 2019
    risk 0.00cvss epss 0.01

    OPNsense 18.7.x before 18.7.7 has Incorrect Access Control.

  • CVE-2019-11816May 20, 2019
    risk 0.00cvss epss 0.03

    Incorrect access control in the WebUI in OPNsense before version 19.1.8, and pfsense before 2.4.4-p3 allows remote authenticated users to escalate privileges to administrator via a specially crafted request.

Page 2 of 2