Critical Alert 1 Active Exploit Detected Today

CVE-2008-4128 Cisco IOS Cross-Site Request Forgery Vulnerability →
Powered by CVE Watchtower
×

CVE Watchtower


← Back to CVE List

CVE-2026-44194NVD

Vulnerability Summary

OPNsense is a FreeBSD based firewall and routing platform. Prior to 26.1.8, an authenticated Remote Code Execution (RCE) vulnerability in the OPNsense core allows a user with user-management privileges to execute arbitrary system commands as root. An attacker can bypass input validation by formatting their malicious payload as a compliant email address, allowing shell commands to reach the underlying operating system. The flaw exists in the local user synchronization flow, within core/src/opnsense/scripts/auth/sync_user.php. This vulnerability is fixed in 26.1.8.
Severity Level
CRITICAL(9.1)
Published Date
May 13, 2026
Last Modified
May 15, 2026
Exploitation Status
No confirmed exploitation yet
EPSS Score (30-Day)
0.24%Probability
Root Weakness (CWE)
The software constructs all or part of an OS command using externally-influenced input, but does not properly neutralize special elements.
CVSS v3.1 Base Metrics
Attack VectorNetwork
Attack ComplexityLow
Privileges RequiredHigh
User InteractionNone
ScopeChanged
ConfidentialityHigh
IntegrityHigh
AvailabilityHigh