CVE-2019-25371

OPNsense 19.1 contains a reflected cross-site scripting vulnerability that allows unauthenticated attackers to inject malicious scripts by exploiting insufficient input validation in the host parameter. Attackers can submit crafted POST requests to the diag_ping.php endpoint with script payloads in the host parameter to execute arbitrary JavaScript in users' browsers.

CVSS v3 6.1 MEDIUM

6.1^/10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 2.8 / Impact : 2.7

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction REQUIRED

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact NONE

Scope CHANGED

References

Link	Resource
https://forum.opnsense.org/index.php?topic=11469.0	Release Notes
https://opnsense.org	Product
https://www.exploit-db.com/exploits/46351	Exploit Third Party Advisory VDB Entry
https://www.vulncheck.com/advisories/opnsense-reflected-xss-via-diagpingphp	Broken Link

Configurations

Configuration 1 (hide)

cpe:2.3:a:opnsense:opnsense:19.1:*:*:*:*:*:*:*

History

18 Feb 2026, 19:14

Type	Values Removed	Values Added
CPE		cpe:2.3:a:opnsense:opnsense:19.1:::::::*
First Time		Opnsense opnsense Opnsense
References	~~() https://forum.opnsense.org/index.php?topic=11469.0 -~~	() https://forum.opnsense.org/index.php?topic=11469.0 - Release Notes
References	~~() https://opnsense.org -~~	() https://opnsense.org - Product
References	~~() https://www.exploit-db.com/exploits/46351 -~~	() https://www.exploit-db.com/exploits/46351 - Exploit, Third Party Advisory, VDB Entry
References	~~() https://www.vulncheck.com/advisories/opnsense-reflected-xss-via-diagpingphp -~~	() https://www.vulncheck.com/advisories/opnsense-reflected-xss-via-diagpingphp - Broken Link

18 Feb 2026, 17:52

Type	Values Removed	Values Added
Summary		(es) OPNsense 19.1 contiene una vulnerabilidad de cross-site scripting reflejado que permite a atacantes no autenticados inyectar scripts maliciosos explotando una validación de entrada insuficiente en el parámetro host. Los atacantes pueden enviar solicitudes POST manipuladas al endpoint diag_ping.php con cargas útiles de script en el parámetro host para ejecutar JavaScript arbitrario en los navegadores de los usuarios.

15 Feb 2026, 14:16

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-02-15 14:16

Updated : 2026-02-18 19:14

NVD link : CVE-2019-25371

Mitre link : CVE-2019-25371

CVE.ORG link : CVE-2019-25371

JSON object : View

Products Affected

opnsense

opnsense

CWE

CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

6.1 /10