CVE-2019-25370 MEDIUM

CVE-2019-25370: OPNsense 19.1 Reflected XSS via interfaces_vlan_edit.php

Vendor Opnsense

Product OPNsense

Weakness CWE-79 · XSS

Published February 15, 2026

Last update May 24, 2026

View on NVD All CVEs

CVSS base score

5.1/10

Attack vector Network

Attack complexity Low

Privileges required None

User interaction —

Confidentiality —

Integrity —

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N

What the vulnerability does

01Description

OPNsense 19.1 contains a reflected cross-site scripting vulnerability that allows attackers to inject malicious scripts by submitting crafted input through multiple parameters. Attackers can send POST requests to interfaces_vlan_edit.php with script payloads in the tag, descr, or vlanif parameters to execute arbitrary JavaScript in users' browsers.

Key dates

02Disclosure timeline

February 15, 2026 CVE published

May 24, 2026 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2019-25370 CWE — Common Weakness Enumeration https://cwe.mitre.org/data/definitions/79.html

Related vulnerabilities

04Related CVE

CVE-2026-47943 Adobe Experience Manager | Cross-site Scripting (Stored XSS) (CWE-79) CVE-2024-30177 WordPress Exclusive Addons for Elementor plugin <= 2.6.8 - Cross Site Scripting (XSS) vulnerability CVE-2024-8793 Store Exporter for WooCommerce – Export Products, Export Orders, Export Subscriptions, and More <= 2.7.2.1 - Reflected Cross-Site Scripting CVE-2025-53933 WeGIA vulnerable to Stored Cross-Site Scripting via endpoint 'adicionar_enfermidade.php' parameter 'nome' CVE-2025-57935 WordPress Bot Block – Stop Spam Referrals in Google Analytics Plugin <= 2.6 - Cross Site Scripting (XSS) Vulnerability