Security: opnsense/core
Security Advisories
View known security vulnerabilities and report new vulnerabilities privately to maintainers.
-
Stored Cross-Site Scripting (XSS) via TrafficShaper description in legacy PHP firewall rules pageGHSA-m4m3-v627-wgc2 published
Jun 15, 2026 by fichtnerHigh -
Trust certificate and CA refids allow path traversal during IPsec file generationGHSA-33q4-wcv7-r8fr published
Jun 15, 2026 by fichtnerHigh -
XPATH Injection can disclose any secret in config.xmlGHSA-xww7-76m6-mh2r published
Jun 15, 2026 by fichtnerHigh -
ntp: write path traversalGHSA-872g-g543-j37m published
Jun 2, 2026 by fichtnerCritical -
RCE on user managmentGHSA-f59w-m967-9rf6 published
May 12, 2026 by fichtnerCritical -
Command Injection via Attacker-Controlled DHCP ConfigGHSA-5rx3-w735-74wm published
May 12, 2026 by fichtnerCritical -
RCE via XMLRPC endpoint using `opnsense.restore_config_section` methodGHSA-xxp9-93cr-x54p published
Apr 30, 2026 by fichtnerCritical -
Authentication lockout bypassGHSA-h3vx-4q27-rc42 published
Apr 30, 2026 by fichtnerModerate -
LDAP Injection via Unsanitized Username in AuthenticationGHSA-jpm7-f59c-mp54 published
Apr 9, 2026 by fichtnerHigh -
Cross-Site Request Forgery (CSRF) in opnsense/coreGHSA-pp58-2qpc-3j3f published
Mar 11, 2026 by fichtnerModerate