opnsense CVE Vulnerabilities & Metrics

Focus on opnsense vulnerabilities and metrics.

Last updated: 08 Mar 2025, 23:25 UTC

About opnsense Security Exposure

This page consolidates all known Common Vulnerabilities and Exposures (CVEs) associated with opnsense. We track both calendar-based metrics (using fixed periods) and rolling metrics (using gliding windows) to give you a comprehensive view of security trends and risk evolution. Use these insights to assess risk and plan your patching strategy.

For a broader perspective on cybersecurity threats, explore the comprehensive list of CVEs by vendor and product. Stay updated on critical vulnerabilities affecting major software and hardware providers.

Global CVE Overview

Total opnsense CVEs: 19
Earliest CVE date: 20 May 2019, 22:29 UTC
Latest CVE date: 23 Oct 2023, 21:15 UTC

Latest CVE reference: CVE-2023-27152

Rolling Stats

30-day Count (Rolling): 0
365-day Count (Rolling): 0

Calendar-based Variation

Calendar-based Variation compares a fixed calendar period (e.g., this month versus the same month last year), while Rolling Growth Rate uses a continuous window (e.g., last 30 days versus the previous 30 days) to capture trends independent of calendar boundaries.

Variations & Growth

Month Variation (Calendar): 0%
Year Variation (Calendar): -100.0%

Month Growth Rate (30-day Rolling): 0.0%
Year Growth Rate (365-day Rolling): -100.0%

Monthly CVE Trends (current vs previous Year)

Annual CVE Trends (Last 20 Years)

Critical opnsense CVEs (CVSS ≥ 9) Over 20 Years

CVSS Stats

Average CVSS: 1.08

Max CVSS: 6.5

Critical CVEs (≥9): 0

CVSS Range vs. Count

Range	Count
0.0-3.9	15
4.0-6.9	4
7.0-8.9	0
9.0-10.0	0

CVSS Distribution Chart

Top 5 Highest CVSS opnsense CVEs

These are the five CVEs with the highest CVSS scores for opnsense, sorted by severity first and recency.

CVE-2019-11816 opnsense Published on 20 May 2019, 22:29 UTC (CVSS: 6.5)
Incorrect access control in the WebUI in OPNsense before version 19.1.8, and pfsense before 2.4.4-p3 allows remote authenticated users to escalate privileges to administrator via a specially crafted request.
CVE-2020-23015 opnsense Published on 03 May 2021, 22:15 UTC (CVSS: 5.8)
An open redirect issue was discovered in OPNsense through 20.1.5. The redirect parameter "url" in login page was not filtered and can redirect user to any website.
CVE-2021-42770 opnsense Published on 08 Nov 2021, 16:15 UTC (CVSS: 4.3)
A Cross-site scripting (XSS) vulnerability was discovered in OPNsense before 21.7.4 via the LDAP attribute return in the authentication tester.
CVE-2018-18958 opnsense Published on 17 Jun 2019, 21:15 UTC (CVSS: 4.0)
OPNsense 18.7.x before 18.7.7 has Incorrect Access Control.
CVE-2023-27152 opnsense Published on 23 Oct 2023, 21:15 UTC (CVSS: 0)
DECISO OPNsense 23.1 does not impose rate limits for authentication, allowing attackers to perform a brute-force attack to bypass authentication.

All CVEs for opnsense

CVE-2023-27152 opnsense vulnerability CVSS: 0 23 Oct 2023, 21:15 UTC

DECISO OPNsense 23.1 does not impose rate limits for authentication, allowing attackers to perform a brute-force attack to bypass authentication.

CVE-2023-44276 opnsense vulnerability CVSS: 0 28 Sep 2023, 05:15 UTC

OPNsense before 23.7.5 allows XSS via the index.php sequence parameter to the Lobby Dashboard.

CVE-2023-44275 opnsense vulnerability CVSS: 0 28 Sep 2023, 05:15 UTC

OPNsense before 23.7.5 allows XSS via the index.php column_count parameter to the Lobby Dashboard.

CVE-2023-39008 opnsense vulnerability CVSS: 0 09 Aug 2023, 19:15 UTC

A command injection vulnerability in the component /api/cron/settings/setJob/ of OPNsense Community Edition before 23.7 and Business Edition before 23.4.2 allows attackers to execute arbitrary system commands.

CVE-2023-39007 opnsense vulnerability CVSS: 0 09 Aug 2023, 19:15 UTC

/ui/cron/item/open in the Cron component of OPNsense Community Edition before 23.7 and Business Edition before 23.4.2 allows XSS via openAction in app/controllers/OPNsense/Cron/ItemController.php.

CVE-2023-39006 opnsense vulnerability CVSS: 0 09 Aug 2023, 19:15 UTC

The Crash Reporter (crash_reporter.php) component of OPNsense Community Edition before 23.7 and Business Edition before 23.4.2 mishandles input sanitization.

CVE-2023-39005 opnsense vulnerability CVSS: 0 09 Aug 2023, 19:15 UTC

Insecure permissions exist for configd.socket in OPNsense Community Edition before 23.7 and Business Edition before 23.4.2.

CVE-2023-39004 opnsense vulnerability CVSS: 0 09 Aug 2023, 19:15 UTC

Insecure permissions in the configuration directory (/conf/) of OPNsense Community Edition before 23.7 and Business Edition before 23.4.2 allow attackers to access sensitive information (e.g., hashed root password) which could lead to privilege escalation.

CVE-2023-39003 opnsense vulnerability CVSS: 0 09 Aug 2023, 19:15 UTC

OPNsense Community Edition before 23.7 and Business Edition before 23.4.2 was discovered to contain insecure permissions in the directory /tmp.

CVE-2023-39002 opnsense vulnerability CVSS: 0 09 Aug 2023, 19:15 UTC

A cross-site scripting (XSS) vulnerability in the act parameter of system_certmanager.php in OPNsense Community Edition before 23.7 and Business Edition before 23.4.2 allows attackers to execute arbitrary web scripts or HTML via a crafted payload.

CVE-2023-39001 opnsense vulnerability CVSS: 0 09 Aug 2023, 19:15 UTC

A command injection vulnerability in the component diag_backup.php of OPNsense Community Edition before 23.7 and Business Edition before 23.4.2 allows attackers to execute arbitrary commands via a crafted backup configuration file.

CVE-2023-39000 opnsense vulnerability CVSS: 0 09 Aug 2023, 19:15 UTC

A reflected cross-site scripting (XSS) vulnerability in the component /ui/diagnostics/log/core/ of OPNsense Community Edition before 23.7 and Business Edition before 23.4.2 allows attackers to inject arbitrary JavaScript via the URL path.

CVE-2023-38999 opnsense vulnerability CVSS: 0 09 Aug 2023, 19:15 UTC

A Cross-Site Request Forgery (CSRF) in the System Halt API (/system/halt) of OPNsense Community Edition before 23.7 and Business Edition before 23.4.2 allows attackers to cause a Denial of Service (DoS) via a crafted GET request.

CVE-2023-38998 opnsense vulnerability CVSS: 0 09 Aug 2023, 19:15 UTC

An open redirect in the Login page of OPNsense Community Edition before 23.7 and Business Edition before 23.4.2 allows attackers to redirect a victim user to an arbitrary web site via a crafted URL.

CVE-2023-38997 opnsense vulnerability CVSS: 0 09 Aug 2023, 19:15 UTC

A directory traversal vulnerability in the Captive Portal templates of OPNsense Community Edition before 23.7 and Business Edition before 23.4.2 allows attackers to execute arbitrary system commands as root via a crafted ZIP archive.

CVE-2021-42770 opnsense vulnerability CVSS: 4.3 08 Nov 2021, 16:15 UTC

A Cross-site scripting (XSS) vulnerability was discovered in OPNsense before 21.7.4 via the LDAP attribute return in the authentication tester.

CVE-2020-23015 opnsense vulnerability CVSS: 5.8 03 May 2021, 22:15 UTC

An open redirect issue was discovered in OPNsense through 20.1.5. The redirect parameter "url" in login page was not filtered and can redirect user to any website.

CVE-2018-18958 opnsense vulnerability CVSS: 4.0 17 Jun 2019, 21:15 UTC

OPNsense 18.7.x before 18.7.7 has Incorrect Access Control.

CVE-2019-11816 opnsense vulnerability CVSS: 6.5 20 May 2019, 22:29 UTC

Incorrect access control in the WebUI in OPNsense before version 19.1.8, and pfsense before 2.4.4-p3 allows remote authenticated users to escalate privileges to administrator via a specially crafted request.