Volerion logoVolerion
Volerion logoVolerion

OPNsense Stored Cross-Site Scripting Vulnerability in Firewall Rules Editing Page

Vulnerability

A stored cross-site scripting vulnerability has been identified in OPNsense version 19.1. This issue allows authenticated attackers to inject malicious scripts that are executed in the browsers of users viewing firewall rule pages. The vulnerability arises from improper input validation in the category parameter, which can be exploited by sending POST requests to firewall_rules_edit.php with script payloads.

Impact

Exploitation of this vulnerability allows for stored cross-site scripting, where injected scripts are executed in the context of the user viewing the affected page.

Reproduction

To reproduce this vulnerability, log into an OPNsense 19.1 system and navigate to the 'Firewall: Rules' section. Select any interface tab, such as 'FloatingRules', 'lan', or 'wan'. Once in the firewall rules editing page, inject a script payload into the category field and submit the form. The injected script will be executed in the browser of any user who accesses the firewall rule page.

Remediation

Users can update to OPNsense version 19.1.1, which addresses this cross-site scripting vulnerability.

Added: Feb 15, 2026, 2:19 PM
Updated: Feb 15, 2026, 2:19 PM

Vulnerability Rating

Custom Algorithm
spread
5.7
impact
1.7
exploitability
4.6
remediation
7.7
relevance
2.8
threat
6.4
urgency
2.9
incentive
0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.