SB2026061548 - Multiple vulnerabilities in OPNsense



SB2026061548 - Multiple vulnerabilities in OPNsense

Published: June 15, 2026

Security Bulletin ID SB2026061548
CSH Severity
Medium
Patch available
YES
Number of vulnerabilities 4
Exploitation vector Remote access
Highest impact Data manipulation

Breakdown by Severity

Medium 50% Low 50%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 4 vulnerabilities.


1) XPath Injection (CVE-ID: CVE-2026-53582)

CWE-ID: CWE-643 - Improper Neutralization of Data within XPath Expressions

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a remote user to disclose sensitive information and escalate privileges.

The vulnerability exists due to xpath injection in the trust module refid field when processing stored ca object data during API retrieval. A remote user can store a crafted xpath expression in the refid field and trigger its evaluation via the ca get endpoint to disclose sensitive information and escalate privileges.

The issue is exploitable by a user with System: CA Manager permissions, and the boolean side channel can be used to extract secrets from config.xml character by character.


2) Cross-site scripting (CVE-ID: N/A)

CWE-ID: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Clear


The vulnerability allows a remote user to execute arbitrary JavaScript in the browser of another administrator.

The vulnerability exists due to cross-site scripting in the legacy PHP firewall rules edit page when rendering a stored TrafficShaper description value without HTML escaping. A remote privileged user can store a crafted description field value to execute arbitrary JavaScript in the browser of another administrator.

User interaction is required when another administrator opens the Firewall Rules edit page.


3) Path traversal (CVE-ID: N/A)

CWE-ID: CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote user to create or overwrite root-owned files outside the intended IPsec certificate directories.

The vulnerability exists due to path traversal in Trust certificate refid handling in IPsec file generation when processing attacker-controlled certificate references during IPsec reconfiguration. A remote user can supply a crafted refid value to create or overwrite root-owned files outside the intended IPsec certificate directories.

Exploitation requires access to Trust certificate management and IPsec configuration, and the created files retain fixed .key and .crt suffixes.


4) Path traversal (CVE-ID: N/A)

CWE-ID: CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote user to create root-owned symlinks outside the intended IPsec CA directory.

The vulnerability exists due to path traversal in Trust CA refid handling in IPsec CA file generation when processing attacker-controlled CA references during IPsec reconfiguration. A remote user can supply a crafted refid value to create root-owned symlinks outside the intended IPsec CA directory.

Exploitation requires access to Trust CA management and IPsec configuration, and the created symlink retains a fixed .crt suffix.


Remediation

Install update from vendor's website.