SB2026061548 - Multiple vulnerabilities in OPNsense
Published: June 15, 2026
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 4 vulnerabilities.
1) XPath Injection (CVE-ID: CVE-2026-53582)
CWE-ID: CWE-643 - Improper Neutralization of Data within XPath Expressions
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to disclose sensitive information and escalate privileges.
The vulnerability exists due to xpath injection in the trust module refid field when processing stored ca object data during API retrieval. A remote user can store a crafted xpath expression in the refid field and trigger its evaluation via the ca get endpoint to disclose sensitive information and escalate privileges.
The issue is exploitable by a user with System: CA Manager permissions, and the boolean side channel can be used to extract secrets from config.xml character by character.
2) Cross-site scripting (CVE-ID: N/A)
CWE-ID: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Clear
The vulnerability allows a remote user to execute arbitrary JavaScript in the browser of another administrator.
The vulnerability exists due to cross-site scripting in the legacy PHP firewall rules edit page when rendering a stored TrafficShaper description value without HTML escaping. A remote privileged user can store a crafted description field value to execute arbitrary JavaScript in the browser of another administrator.
User interaction is required when another administrator opens the Firewall Rules edit page.
3) Path traversal (CVE-ID: N/A)
CWE-ID: CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote user to create or overwrite root-owned files outside the intended IPsec certificate directories.
The vulnerability exists due to path traversal in Trust certificate refid handling in IPsec file generation when processing attacker-controlled certificate references during IPsec reconfiguration. A remote user can supply a crafted refid value to create or overwrite root-owned files outside the intended IPsec certificate directories.
Exploitation requires access to Trust certificate management and IPsec configuration, and the created files retain fixed .key and .crt suffixes.
4) Path traversal (CVE-ID: N/A)
CWE-ID: CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote user to create root-owned symlinks outside the intended IPsec CA directory.
The vulnerability exists due to path traversal in Trust CA refid handling in IPsec CA file generation when processing attacker-controlled CA references during IPsec reconfiguration. A remote user can supply a crafted refid value to create root-owned symlinks outside the intended IPsec CA directory.
Exploitation requires access to Trust CA management and IPsec configuration, and the created symlink retains a fixed .crt suffix.
Remediation
Install update from vendor's website.