Main Vulnerability Database Vulnerabilities #VU134542

Path traversal in OPNsense - #VU134542

Published: June 15, 2026

Vulnerability identifier: #VU134542

CSH Severity: Medium

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green

CVE-ID: N/A

CWE-ID: CWE-22

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: Deciso

Affected software:
OPNsense

Detailed vulnerability description

The vulnerability allows a remote user to overwrite arbitrary files on the system.

The vulnerability exists due to path traversal in the NTP configuration module when processing the GPS or PPS serial port parameter. A remote user can supply a specially crafted serial port value to overwrite arbitrary files on the system.

Successful exploitation can lead to total system compromise because the file write occurs as the root user. The target file must already exist.

Remediation

Install security update from vendor's website.

Sources

https://github.com/opnsense/core/security/advisories/GHSA-872g-g543-j37m

Path traversal in OPNsense - #VU134542

Detailed vulnerability description

Remediation

Sources

Please verify you're human