CVE-2019-25377 MEDIUM

CVE-2019-25377: OPNsense 19.1 Reflected XSS via system_advanced_sysctl.php

Vendor Opnsense
Product OPNsense
Weakness CWE-79 · XSS
Published February 15, 2026
Last update May 24, 2026
View on NVD All CVEs

CVSS base score

4.8/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N

What the vulnerability does

01Description

OPNsense 19.1 contains a reflected cross-site scripting vulnerability in the system_advanced_sysctl.php endpoint that allows attackers to inject malicious scripts via the value parameter. Attackers can craft POST requests with script payloads in the value parameter to execute JavaScript in the context of authenticated user sessions.

Key dates

02Disclosure timeline

February 15, 2026 CVE published
May 24, 2026 Record updated

Related vulnerabilities

04Related CVE

CVE-2025-30771 WordPress WP Cassify plugin <= 2.3.5 - Cross Site Scripting (XSS) Vulnerability CVE-2024-3433 PuneethReddyHC Event Management register.php cross site scripting CVE-2025-3752 Able Player, accessible HTML5 media player <= 1.2.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via preload Parameter CVE-2023-1878 Cross-site Scripting (XSS) - Stored in thorsten/phpmyfaq CVE-2023-35024 IBM Cloud Pak for Business Automation cross-site scripting