SB2026070359 - Multiple vulnerabilities in OPNsense
Published: July 3, 2026
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 10 vulnerabilities.
1) Incorrect authorization (CVE-ID: N/A)
CWE-ID: CWE-863 - Incorrect Authorization
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:L/SC:N/SI:N/SA:N/E:P/U:Green
The vulnerability allows a remote attacker to bypass authorization checks.
The vulnerability exists due to the error within interaction between "OPNsense\Core\ACL::hasPrivilege()" and MVC API "throwReadOnly()" checks. A remote user can bypass intended access restrictions and modify configuration.
2) OS Command Injection (CVE-ID: CVE-2026-57155)
CWE-ID: CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to execute arbitrary shell commands on the target system.
The vulnerability exists due to improper input validation in the Firewall Alias GeoIP importer. A remote user can pass specially crafted data to the application and execute arbitrary OS commands on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
3) Improper Output Neutralization for Logs (CVE-ID: N/A)
CWE-ID: CWE-117 - Improper Output Neutralization for Logs
CVSSv4: CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/U:Green
The vulnerability allows a remote attacker to compromise the target system.
The vulnerability exists due to insufficient neutralization of special characters when writing to logs within login username field. A remote attacker on the local network can bypass brute-force protection and perform a denial of service (DoS) attack.
4) Stored cross-site scripting (CVE-ID: CVE-2026-58394)
CWE-ID: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:P/U:Clear
The disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.
The vulnerability exists due to insufficient sanitization of user-supplied data in Administration settings within certificate description. A remote user can inject and execute arbitrary HTML and script code in user's browser in context of vulnerable website.
Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.
5) XPath Injection (CVE-ID: CVE-2026-58395)
CWE-ID: CWE-643 - Improper Neutralization of Data within XPath Expressions
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/U:Clear
The vulnerability allows a remote attacker to gain access to sensitive information on the system.
The vulnerability exists due to XPath injection in MVC safe-delete. A remote user can send a specially crafted delete request and access sensitive information on the target system.
6) Stored cross-site scripting (CVE-ID: CVE-2026-58392)
CWE-ID: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:P/U:Clear
The disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.
The vulnerability exists due to insufficient sanitization of user-supplied data in the NTP GPS configuration page. A remote user can inject and execute arbitrary HTML and script code in user's browser in context of vulnerable website.
Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.
7) Stored cross-site scripting (CVE-ID: CVE-2026-58391)
CWE-ID: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:P/U:Clear
The disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.
The vulnerability exists due to insufficient sanitization of user-supplied data in Firewall Rules/NAT pages. A remote user can inject and execute arbitrary HTML and script code in user's browser in context of vulnerable website.
Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.
8) Stored cross-site scripting (CVE-ID: CVE-2026-58390)
CWE-ID: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Clear
The disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.
The vulnerability exists due to insufficient sanitization of user-supplied data within common_name in status views. A remote user can inject and execute arbitrary HTML and script code in user's browser in context of vulnerable website.
Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.
9) Path traversal (CVE-ID: CVE-2026-58393)
CWE-ID: CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:H/VA:L/SC:N/SI:N/SA:N/E:P/U:Green
The vulnerability allows a remote attacker to perform directory traversal attacks.
The vulnerability exists due to input validation error when processing directory traversal sequences in generated CSO files. A remote user can send a specially crafted HTTP request and write arbitrary files on the system.
10) CRLF injection (CVE-ID: CVE-2026-57154)
CWE-ID: CWE-93 - Improper Neutralization of CRLF Sequences ('CRLF Injection')
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/U:Green
The vulnerability allows a remote attacker to inject arbitrary data in server response.
The vulnerability exists due to insufficient validation of attacker-supplied data within multiple GUI text fields. A remote user can pass specially crafted data to the application containing CR-LF characters and modify application behavior.
Remediation
Install update from vendor's website.
References
- https://github.com/opnsense/core/security/advisories/GHSA-p9pr-782r-w2xw
- https://github.com/opnsense/core/security/advisories/GHSA-wjqq-rfmm-v5h3
- https://github.com/opnsense/core/security/advisories/GHSA-2v2x-m4j7-76pv
- https://github.com/opnsense/core/security/advisories/GHSA-8pgr-x852-qx4j
- https://github.com/opnsense/core/security/advisories/GHSA-98h6-479q-9q3w
- https://github.com/opnsense/core/security/advisories/GHSA-h793-67jm-j4m5
- https://github.com/opnsense/core/security/advisories/GHSA-2xrm-p255-p43h
- https://github.com/opnsense/core/security/advisories/GHSA-26cj-h9rj-g5pf
- https://github.com/opnsense/core/security/advisories/GHSA-2m9v-p7r9-gfcw
- https://github.com/opnsense/core/security/advisories/GHSA-fq94-cxvc-9r7w