Pfsense: >> Pfsense >> 2.8.0 Security Vulnerabilities
Netgate pfSense CE 2.8.0 allows code execution in the XMLRPC API via pfsense.exec_php. NOTE: the Supplier disputes this because the API call is only available to admins and they are intentionally allowed to execute PHP code.
CVSS Score
9.9
EPSS Score
0.005
Published
2026-05-08
In Netgate pfSense CE 2.8.0, the "WebCfg - Diagnostics: Command" privilege allows reading arbitrary files via diag_command.php dlPath directory traversal. NOTE: the Supplier's perspective is that this is intended behavior for this privilege level, and that system administrators are informed through both the product documentation and UI.
CVSS Score
5.0
EPSS Score
0.018
Published
2025-06-28