Main Vulnerability Database Vulnerabilities #VU134539

Cross-site scripting in OPNsense - #VU134539

Published: June 15, 2026

Vulnerability identifier: #VU134539

CSH Severity: Low

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Clear

CVE-ID: N/A

CWE-ID: CWE-79

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: Deciso

Affected software:
OPNsense

Detailed vulnerability description

The vulnerability allows a remote user to execute arbitrary JavaScript in the browser of another administrator.

The vulnerability exists due to cross-site scripting in the legacy PHP firewall rules edit page when rendering a stored TrafficShaper description value without HTML escaping. A remote privileged user can store a crafted description field value to execute arbitrary JavaScript in the browser of another administrator.

User interaction is required when another administrator opens the Firewall Rules edit page.

Remediation

Install security update from vendor's website.

Sources

https://github.com/opnsense/core/security/advisories/GHSA-m4m3-v627-wgc2

Cross-site scripting in OPNsense - #VU134539

Detailed vulnerability description

Remediation

Sources

Please verify you're human