threat
engine
.sh
Back
·
··:··
Home
/
Product
/
opnsense
Product
opnsense
37 known vulnerabilities across versions
Vulnerabilities are listed by affected version. Select any CVE for the full briefing and its intelligence graph.
Sort
Newest first
Oldest first
Highest CVSS
Lowest CVSS
Min CVSS
Any
4.0+
7.0+ (High)
9.0+ (Critical)
Published since
Reset
CVE-2026-45158
< 26.1.8
OPNsense is a FreeBSD based firewall and routing platform. Prior to 26.1.8, unsanitized user input is passed to the DHCP configura
9.1
CRITICAL
CVE-2026-44195
< 26.1.7
OPNsense is a FreeBSD based firewall and routing platform. Prior to 26.1.7, a logic flaw in the OPNsense lockout_handler allows an
5.3
MEDIUM
CVE-2026-44194
< 26.1.8
OPNsense is a FreeBSD based firewall and routing platform. Prior to 26.1.8, an authenticated Remote Code Execution (RCE) vulnerabi
9.1
CRITICAL
CVE-2026-44193
< 26.1.7
OPNsense is a FreeBSD based firewall and routing platform. Prior to 26.1.7, the XMLRPC method opnsense.restore_config_section fail
9.1
CRITICAL
CVE-2026-34578
< 26.1.6
OPNsense is a FreeBSD based firewall and routing platform. Prior to 26.1.6, OPNsense's LDAP authentication connector passes the lo
8.2
HIGH
CVE-2026-30868
< 26.1.4
OPNsense is a FreeBSD based firewall and routing platform. Prior to 26.1.4, multiple OPNsense MVC API endpoints perform state‑ch
6.3
MEDIUM
CVE-2019-25377
all versions
OPNsense 19.1 contains a reflected cross-site scripting vulnerability in the system_advanced_sysctl.php endpoint that allows attac
5.4
MEDIUM
CVE-2019-25376
all versions
OPNsense 19.1 contains a reflected cross-site scripting vulnerability that allows unauthenticated attackers to inject malicious sc
6.1
MEDIUM
CVE-2019-25375
all versions
OPNsense 19.1 contains a reflected cross-site scripting vulnerability that allows unauthenticated attackers to inject malicious sc
6.1
MEDIUM
CVE-2019-25374
all versions
OPNsense 19.1 contains a reflected cross-site scripting vulnerability that allows attackers to inject malicious scripts by exploit
6.1
MEDIUM
CVE-2019-25373
all versions
OPNsense 19.1 contains a stored cross-site scripting vulnerability that allows authenticated attackers to inject malicious scripts
6.4
MEDIUM
CVE-2019-25372
all versions
OPNsense 19.1 contains a reflected cross-site scripting vulnerability that allows unauthenticated attackers to inject malicious sc
6.1
MEDIUM
CVE-2019-25371
all versions
OPNsense 19.1 contains a reflected cross-site scripting vulnerability that allows unauthenticated attackers to inject malicious sc
6.1
MEDIUM
CVE-2019-25370
all versions
OPNsense 19.1 contains a reflected cross-site scripting vulnerability that allows attackers to inject malicious scripts by submitt
6.1
MEDIUM
CVE-2019-25369
all versions
OPNsense 19.1 contains a stored cross-site scripting vulnerability in the system_advanced_sysctl.php endpoint that allows attacker
6.4
MEDIUM
CVE-2019-25368
all versions
OPNsense 19.1 contains multiple cross-site scripting vulnerabilities in the diag_backup.php endpoint that allow attackers to injec
5.4
MEDIUM
CVE-2025-50989
< 25.1.8
OPNsense before 25.1.8 contains an authenticated command injection vulnerability in its Bridge Interface Edit endpoint (interfaces
9.1
CRITICAL
CVE-2023-27152
all versions
DECISO OPNsense 23.1 does not impose rate limits for authentication, allowing attackers to perform a brute-force attack to bypass
9.8
CRITICAL
CVE-2023-44276
< 23.7.5
OPNsense before 23.7.5 allows XSS via the index.php sequence parameter to the Lobby Dashboard.
5.4
MEDIUM
CVE-2023-44275
< 23.7.5
OPNsense before 23.7.5 allows XSS via the index.php column_count parameter to the Lobby Dashboard.
5.4
MEDIUM
CVE-2023-39008
< 23.7
A command injection vulnerability in the component /api/cron/settings/setJob/ of OPNsense Community Edition before 23.7 and Busine
9.8
CRITICAL
CVE-2023-39007
< 23.7
/ui/cron/item/open in the Cron component of OPNsense Community Edition before 23.7 and Business Edition before 23.4.2 allows XSS v
9.6
CRITICAL
CVE-2023-39006
< 23.7
The Crash Reporter (crash_reporter.php) component of OPNsense Community Edition before 23.7 and Business Edition before 23.4.2 mis
5.4
MEDIUM
CVE-2023-39005
< 23.7
Insecure permissions exist for configd.socket in OPNsense Community Edition before 23.7 and Business Edition before 23.4.2.
7.5
HIGH
CVE-2023-39004
< 23.7
Insecure permissions in the configuration directory (/conf/) of OPNsense Community Edition before 23.7 and Business Edition before
9.8
CRITICAL
CVE-2023-39003
< 23.7
OPNsense Community Edition before 23.7 and Business Edition before 23.4.2 was discovered to contain insecure permissions in the di
7.5
HIGH
CVE-2023-39002
< 23.7
A cross-site scripting (XSS) vulnerability in the act parameter of system_certmanager.php in OPNsense Community Edition before 23.
6.1
MEDIUM
CVE-2023-39001
< 23.7
A command injection vulnerability in the component diag_backup.php of OPNsense Community Edition before 23.7 and Business Edition
9.8
CRITICAL
CVE-2023-39000
< 23.7
A reflected cross-site scripting (XSS) vulnerability in the component /ui/diagnostics/log/core/ of OPNsense Community Edition befo
6.1
MEDIUM
CVE-2023-38999
< 23.7
A Cross-Site Request Forgery (CSRF) in the System Halt API (/system/halt) of OPNsense Community Edition before 23.7 and Business E
6.5
MEDIUM
CVE-2023-38998
< 23.7
An open redirect in the Login page of OPNsense Community Edition before 23.7 and Business Edition before 23.4.2 allows attackers t
6.1
MEDIUM
CVE-2023-38997
< 23.7
A directory traversal vulnerability in the Captive Portal templates of OPNsense Community Edition before 23.7 and Business Edition
7.2
HIGH
CVE-2021-42770
<= 19.7.0
A Cross-site scripting (XSS) vulnerability was discovered in OPNsense before 21.7.4 via the LDAP attribute return in the authentic
6.1
MEDIUM
CVE-2020-23015
<= 20.1.5
An open redirect issue was discovered in OPNsense through 20.1.5. The redirect parameter "url" in login page was not filtered and
6.1
MEDIUM
CVE-2018-18958
>= 18.7.0 and < 18.7.7
OPNsense 18.7.x before 18.7.7 has Incorrect Access Control.
6.5
MEDIUM
CVE-2019-11816
< 19.1.8
Incorrect access control in the WebUI in OPNsense before version 19.1.8, and pfsense before 2.4.4-p3 allows remote authenticated u
7.2
HIGH
CVE-2017-1000479
< 16.1.16
pfSense versions 2.4.1 and lower are vulnerable to clickjacking attacks in the CSRF error page resulting in privileged execution o
8.8
HIGH
Vulnerabilities
CISA KEV catalog
CWE weaknesses
CAPEC attack patterns
Package vulnerabilities
Threat intelligence
Threat actors
Tools & malware
ATT&CK techniques
IOCs
Detection & defense
Sigma rules
YARA rules
Atomic Red Team tests
D3FEND countermeasures
Compliance
NIST 800-53
ISO 27001:2022
SOC 2 TSC
PCI-DSS v4.0
CIS Controls v8.1
About
All capabilities
Live statistics
Data sources
Privacy policy
Terms of service
threatengine.sh · Open-source threat intelligence platform · 100+ authoritative sources · Every fact traces to its origin