8 advisories tracked · Netgate Security Advisories + NVD · checked automatically every minute
Pick your product and enter the exact software release it runs. We match it against the affected/fixed versions in pfSense's recent advisories.
Netgate Security Advisories + NVD
Netgate maintains a dedicated Security Advisory index for pfSense (docs.netgate.com/advisories), but pfSense CVEs are assigned by MITRE and third-party researchers rather than a Netgate CNA — so VulniPulse ingests them from NVD (keyword-filtered to pfSense, dropped unless a pfSense/Netgate product is named) and links back to the Netgate advisory or pfSense reference. Covers pfSense CE (Community Edition) and pfSense Plus — a firewall/router at the network edge where a bug is directly internet-exposed.
Visit Netgate pfSense security advisoriesNetgate pfSense CE 2.8.0 allows code execution in the XMLRPC API via pfsense.exec_php. NOTE: the Supplier disputes this because the API call is only available to admins and they are intentionally allowed to execute PHP code.
Netgate pfSense CE 2.7.2 allows code execution by using the module installer with a backup file with a serialized PHP object containing the post_reboot_commands property. NOTE: the Supplier disputes this because this installer is only available to admins and they are intentionally allowed to execute PHP code.
An issue discovered in Pfsense CE version 2.6.0 allows attackers to compromise user accounts via weak password requirements.
Cross Site Scripting vulnerability found in Netgate pfSense 2.4.4 and ACME package v.0.6.3 allows attackers to execute arbitrary code via the RootFolder field of acme_certificates.php.
Improper restriction of excessive authentication attempts in the SSHGuard component of Netgate pfSense Plus software v22.05.1 and pfSense CE software v2.6.0 allows attackers to bypass brute force protection mechanisms via crafted web requests.
pfSense pfBlockerNG through 2.1.4_26 allows remote attackers to execute arbitrary OS commands as root via shell metacharacters in the HTTP Host header. NOTE: 3.x is unaffected.
An issue was discovered in pfSense through 2.4.4-p3. widgets/widgets/picture.widget.php uses the widgetkey parameter directly without sanitization (e.g., a basename call) for a pathname to file_get_contents or file_put_contents.
Apcupsd 0.3.91_5, as used in pfSense through 2.4.4-RELEASE-p3 and other products, has an Arbitrary Command Execution issue in apcupsd_status.php.