ipfire CVE Vulnerabilities & Metrics

Focus on ipfire vulnerabilities and metrics.

Last updated: 10 Sep 2025, 22:25 UTC

About ipfire Security Exposure

This page consolidates all known Common Vulnerabilities and Exposures (CVEs) associated with ipfire. We track both calendar-based metrics (using fixed periods) and rolling metrics (using gliding windows) to give you a comprehensive view of security trends and risk evolution. Use these insights to assess risk and plan your patching strategy.

For a broader perspective on cybersecurity threats, explore the comprehensive list of CVEs by vendor and product. Stay updated on critical vulnerabilities affecting major software and hardware providers.

Global CVE Overview

Total ipfire CVEs: 10
Earliest CVE date: 19 Jun 2017, 13:29 UTC
Latest CVE date: 26 Aug 2025, 19:15 UTC

Latest CVE reference: CVE-2025-50975

Rolling Stats

30-day Count (Rolling): 3
365-day Count (Rolling): 3

Calendar-based Variation

Calendar-based Variation compares a fixed calendar period (e.g., this month versus the same month last year), while Rolling Growth Rate uses a continuous window (e.g., last 30 days versus the previous 30 days) to capture trends independent of calendar boundaries.

Variations & Growth

Month Variation (Calendar): 0%
Year Variation (Calendar): 0%

Month Growth Rate (30-day Rolling): 0.0%
Year Growth Rate (365-day Rolling): 0.0%

Monthly CVE Trends (current vs previous Year)

Annual CVE Trends (Last 20 Years)

Critical ipfire CVEs (CVSS ≥ 9) Over 20 Years

CVSS Stats

Average CVSS: 3.33

Max CVSS: 9.0

Critical CVEs (≥9): 1

CVSS Range vs. Count

Range	Count
0.0-3.9	6
4.0-6.9	3
7.0-8.9	0
9.0-10.0	1

CVSS Distribution Chart

Top 5 Highest CVSS ipfire CVEs

These are the five CVEs with the highest CVSS scores for ipfire, sorted by severity first and recency.

CVE-2021-33393 ipfire Published on 09 Jun 2021, 22:15 UTC (CVSS: 9.0)
lfs/backup in IPFire 2.25-core155 does not ensure that /var/ipfire/backup/bin/backup.pl is owned by the root account. It might be owned by an unprivileged account, which could potentially be used to install a Trojan horse backup.pl script that is later executed by root. Similar problems with the ownership/permissions of other files may be present as well.
CVE-2018-16232 ipfire Published on 17 Oct 2018, 14:29 UTC (CVSS: 6.5)
An authenticated command injection vulnerability exists in IPFire Firewall before 2.21 Core Update 124 in backup.cgi. This allows an authenticated user with privileges for the affected page to execute arbitrary commands.
CVE-2017-9757 ipfire Published on 19 Jun 2017, 13:29 UTC (CVSS: 6.5)
IPFire 2.19 has a Remote Command Injection vulnerability in ids.cgi via the OINKCODE parameter, which is mishandled by a shell. This can be exploited directly by authenticated users, or through CSRF.
CVE-2020-21142 ipfire Published on 28 Jun 2021, 20:15 UTC (CVSS: 4.3)
Cross Site Scripting (XSS) vulnerabilty in IPFire 2.23 via the IPfire web UI in the mail.cgi.
CVE-2020-19204 ipfire Published on 12 Jul 2021, 16:15 UTC (CVSS: 3.5)
An authenticated Stored Cross-Site Scriptiong (XSS) vulnerability exists in Lightning Wire Labs IPFire 2.21 (x86_64) - Core Update 130 in the "routing.cgi" Routing Table Entries via the "Remark" text box or "remark" parameter. It allows an authenticated WebGUI user to execute Stored Cross-site Scripting in the Routing Table Entries.

All CVEs for ipfire

CVE-2025-50975 ipfire vulnerability CVSS: 0 26 Aug 2025, 19:15 UTC

IPFire 2.29 web-based firewall interface (firewall.cgi) fails to sanitize several rule parameters such as PROT, SRC_PORT, TGT_PORT, dnatport, key, ruleremark, src_addr, std_net_tgt, and tgt_addr, allowing an authenticated administrator to inject persistent JavaScript. This stored XSS payload is executed whenever another admin views the firewall rules page, enabling session hijacking, unauthorized actions within the interface, or further internal pivoting. Exploitation requires only high-privilege GUI access, and the complexity of the attack is low.

CVE-2025-50976 ipfire vulnerability CVSS: 0 26 Aug 2025, 18:15 UTC

IPFire 2.29 DNS management interface (dns.cgi) fails to properly sanitize user-supplied input in the NAMESERVER, REMARK, and TLS_HOSTNAME query parameters, resulting in a reflected cross-site scripting (XSS) vulnerability.

CVE-2025-50974 ipfire vulnerability CVSS: 0 26 Aug 2025, 17:15 UTC

The Calamaris log exporter CGI (/cgi-bin/logs.cgi/calamaris.dat) in IPFire 2.29 does not properly sanitize user-supplied input before incorporating parameter values into a shell command. An unauthenticated remote attacker can inject arbitrary OS commands by embedding shell metacharacters in any of the following parameters BYTE_UNIT, DAY_BEGIN, DAY_END, HIST_LEVEL, MONTH_BEGIN, MONTH_END, NUM_CONTENT, NUM_DOMAINS, NUM_HOSTS, NUM_URLS, PERF_INTERVAL, YEAR_BEGIN, YEAR_END.

CVE-2022-36368 ipfire vulnerability CVSS: 0 24 Oct 2022, 14:15 UTC

Multiple stored cross-site scripting vulnerabilities in the web user interface of IPFire versions prior to 2.27 allows a remote authenticated attacker with administrative privilege to inject an arbitrary script.

CVE-2020-19204 ipfire vulnerability CVSS: 3.5 12 Jul 2021, 16:15 UTC

An authenticated Stored Cross-Site Scriptiong (XSS) vulnerability exists in Lightning Wire Labs IPFire 2.21 (x86_64) - Core Update 130 in the "routing.cgi" Routing Table Entries via the "Remark" text box or "remark" parameter. It allows an authenticated WebGUI user to execute Stored Cross-site Scripting in the Routing Table Entries.

CVE-2020-21142 ipfire vulnerability CVSS: 4.3 28 Jun 2021, 20:15 UTC

Cross Site Scripting (XSS) vulnerabilty in IPFire 2.23 via the IPfire web UI in the mail.cgi.

CVE-2020-19202 ipfire vulnerability CVSS: 3.5 17 Jun 2021, 16:15 UTC

An authenticated Stored XSS (Cross-site Scripting) exists in the "captive.cgi" Captive Portal via the "Title of Login Page" text box or "TITLE" parameter in IPFire 2.21 (x86_64) - Core Update 130. It allows an authenticated WebGUI user with privileges to execute Stored Cross-site Scripting in the Captive Portal page.

CVE-2021-33393 ipfire vulnerability CVSS: 9.0 09 Jun 2021, 22:15 UTC

lfs/backup in IPFire 2.25-core155 does not ensure that /var/ipfire/backup/bin/backup.pl is owned by the root account. It might be owned by an unprivileged account, which could potentially be used to install a Trojan horse backup.pl script that is later executed by root. Similar problems with the ownership/permissions of other files may be present as well.

CVE-2018-16232 ipfire vulnerability CVSS: 6.5 17 Oct 2018, 14:29 UTC

An authenticated command injection vulnerability exists in IPFire Firewall before 2.21 Core Update 124 in backup.cgi. This allows an authenticated user with privileges for the affected page to execute arbitrary commands.

CVE-2017-9757 ipfire vulnerability CVSS: 6.5 19 Jun 2017, 13:29 UTC

IPFire 2.19 has a Remote Command Injection vulnerability in ids.cgi via the OINKCODE parameter, which is mishandled by a shell. This can be exploited directly by authenticated users, or through CSRF.