Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
5.1
OPNsense 19.1: Malicious scripts can be injected via firewall rule editing
CVE-2019-25373
Summary
A security issue in OPNsense 19.1 allows an attacker to inject malicious scripts into the browsers of other users who view firewall rule pages. This can happen if an attacker is authenticated and submits crafted input to the firewall rule editing page. To fix this, update to a patched version of OPNsense or apply the available patch.
What to do
No fix is available yet. Check with your software vendor for updates.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| opnsense | opnsense | 19.1 | – |
Original title
OPNsense 19.1 contains a stored cross-site scripting vulnerability that allows authenticated attackers to inject malicious scripts by submitting crafted input to the category parameter. Attackers c...
Original description
OPNsense 19.1 contains a stored cross-site scripting vulnerability that allows authenticated attackers to inject malicious scripts by submitting crafted input to the category parameter. Attackers can send POST requests to firewall_rules_edit.php with script payloads in the category field to execute arbitrary JavaScript in the browsers of other users accessing firewall rule pages.
nvd CVSS3.1
5.4
nvd CVSS4.0
5.1
Vulnerability type
CWE-79
Cross-site Scripting (XSS)
- https://forum.opnsense.org/index.php?topic=11469.0 Release Notes
- https://opnsense.org Product
- https://www.exploit-db.com/exploits/46351 Exploit Third Party Advisory VDB Entry
- https://www.vulncheck.com/advisories/opnsense-stored-xss-via-firewallruleseditph... Broken Link
Published: 15 Feb 2026 · Updated: 10 Mar 2026 · First seen: 6 Mar 2026