Reflected Cross-Site Scripting Vulnerability in OPNsense by Deciso
CVE-2019-25372

5.1MEDIUM

Key Information:

Vendor: Opnsense
Status: Opnsense
Vendor: CVE Published:; 15 February 2026

Badges

👾 Exploit Exists

What is CVE-2019-25372?

OPNsense 19.1 is vulnerable to a reflected cross-site scripting attack due to insufficient input validation in the host parameter. This vulnerability enables unauthenticated attackers to craft specific POST requests to the 'diag_traceroute.php' interface, allowing them to execute arbitrary JavaScript within the user’s browser session. As a result, the attacker can potentially steal sensitive information or manipulate user interactions.

Affected Version(s)

OPNsense 19.1

References

https://www.exploit-db.com/exploits/46351

exploit

https://opnsense.org

product

https://forum.opnsense.org/index.php?topic=11469.0

patch

CVSS V4

Score:

5.1

Severity:

MEDIUM

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

Unknown

Download the Critical Vulnerability Management Cheat Sheet

Timeline

🟡
Public PoC available
Feb 15, 2026
👾
Exploit known to exist
Feb 15, 2026
Vulnerability published
Feb 15, 2026
Vulnerability Reserved
Feb 15, 2026

Credit

Ozer Goker

CVE-2019-25372 Data

JSON

Opnsense

Badges

What is CVE-2019-25372?

Affected Version(s)

References

CVSS V4

Timeline

Credit