CVE-2019-25375

OPNsense 19.1 contains a reflected cross-site scripting vulnerability that allows unauthenticated attackers to inject malicious scripts by submitting crafted input to the mailserver parameter. Attackers can send POST requests to the monit interface with JavaScript payloads in the mailserver parameter to execute arbitrary code in users' browsers.

CVSS v3 6.1 MEDIUM

6.1^/10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 2.8 / Impact : 2.7

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction REQUIRED

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact NONE

Scope CHANGED

References

Link	Resource
https://forum.opnsense.org/index.php?topic=11469.0	Release Notes
https://opnsense.org	Product
https://www.exploit-db.com/exploits/46351	Exploit Third Party Advisory VDB Entry
https://www.vulncheck.com/advisories/opnsense-reflected-xss-via-monit-interface	Third Party Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:opnsense:opnsense:19.1:*:*:*:*:*:*:*

History

18 Feb 2026, 19:11

Type	Values Removed	Values Added
CPE		cpe:2.3:a:opnsense:opnsense:19.1:::::::*
References	~~() https://forum.opnsense.org/index.php?topic=11469.0 -~~	() https://forum.opnsense.org/index.php?topic=11469.0 - Release Notes
References	~~() https://opnsense.org -~~	() https://opnsense.org - Product
References	~~() https://www.exploit-db.com/exploits/46351 -~~	() https://www.exploit-db.com/exploits/46351 - Exploit, Third Party Advisory, VDB Entry
References	~~() https://www.vulncheck.com/advisories/opnsense-reflected-xss-via-monit-interface -~~	() https://www.vulncheck.com/advisories/opnsense-reflected-xss-via-monit-interface - Third Party Advisory
First Time		Opnsense opnsense Opnsense

18 Feb 2026, 17:52

Type	Values Removed	Values Added
Summary		(es) OPNsense 19.1 contiene una vulnerabilidad de cross-site scripting reflejado que permite a atacantes no autenticados inyectar scripts maliciosos al enviar una entrada manipulada al parámetro mailserver. Los atacantes pueden enviar solicitudes POST a la interfaz monit con cargas útiles de JavaScript en el parámetro mailserver para ejecutar código arbitrario en los navegadores de los usuarios.

15 Feb 2026, 14:16

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-02-15 14:16

Updated : 2026-02-18 19:11

NVD link : CVE-2019-25375

Mitre link : CVE-2019-25375

CVE.ORG link : CVE-2019-25375

JSON object : View

Products Affected

opnsense

opnsense

CWE

CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

6.1 /10