Reflected Cross-Site Scripting Vulnerability in OPNsense by Deciso
CVE-2019-25374

5.1MEDIUM

Key Information:

Vendor: Opnsense
Status: Opnsense
Vendor: CVE Published:; 15 February 2026

Badges

👾 Exploit Exists

What is CVE-2019-25374?

OPNsense version 19.1 has a reflected cross-site scripting vulnerability that can be exploited by attackers through crafted POST requests targeting the passthrough_networks parameter in the vpn_ipsec_settings.php file. This vulnerability allows for the injection of malicious JavaScript payloads, which can then execute arbitrary code within the browsers of users accessing the compromised functionalities. This poses a significant risk as attackers can manipulate and disrupt user sessions, potentially leading to unauthorized access and data breaches.

Affected Version(s)

OPNsense 19.1

References

https://www.exploit-db.com/exploits/46351

exploit

https://opnsense.org

product

https://forum.opnsense.org/index.php?topic=11469.0

patch

CVSS V4

Score:

5.1

Severity:

MEDIUM

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

Unknown

Download the Critical Vulnerability Management Cheat Sheet

Timeline

🟡
Public PoC available
Feb 15, 2026
👾
Exploit known to exist
Feb 15, 2026
Vulnerability published
Feb 15, 2026
Vulnerability Reserved
Feb 15, 2026

Credit

Ozer Goker

CVE-2019-25374 Data

JSON

Opnsense

Badges

What is CVE-2019-25374?

Affected Version(s)

References

CVSS V4

Timeline

Credit