-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

=============================================================================
pfSense-SA-26_02.webgui                                     Security Advisory
                                                                      pfSense

Topic:          Stored XSS in Delegated Length value for Kea Prefix Delegation

Category:       pfSense Base System
Module:         webgui
Announced:      2026-04-01
Credits:        Jared Folkins <jared@counterhack.com>
Affects:        pfSense Plus software versions < 26.03
                pfSense CE software versions <= 2.8.1
Corrected:      2026-03-12 18:26:03 UTC (pfSense Plus master, 26.07)
                2026-03-13 18:23:51 UTC (pfSense Plus plus-RELENG_26_03, 26.03)
                2026-03-12 18:26:03 UTC (pfSense CE master, 2.9.0)

0.   Revision History

v1.0  2026-04-01 Initial SA draft

I.   Background

pfSense® software is a free network firewall distribution based on the
FreeBSD operating system.  The pfSense software distribution includes third-
party free software packages for additional functionality, and provides most of
the functionality of common commercial firewalls.

pfSense® Plus is the productized version of pfSense software from Netgate®,
previously referred to as pfSense Factory Edition (FE). It is available to
Netgate appliance and CSP customers.

The majority of users of pfSense software have never installed or used a stock
FreeBSD system.  Unlike similar GNU/Linux-based firewall distributions, there
is no need for any UNIX knowledge.  The command line is never used, and there
is no need to ever manually edit any rule sets. Instead, pfSense software
includes a web interface for the configuration of all included components.
Users familiar with commercial firewalls will quickly understand the web
interface, while those unfamiliar with commercial-grade firewalls may encounter
a short learning curve.

II.  Problem Description

A potential stored Cross-Site Scripting (XSS) vulnerability was identified in
services_dhcpv6.php, a component of the pfSense Plus and pfSense CE software
GUI.

The services_dhcpv6.php page does not perform sufficient validation on the user
input value of Delegated Length (pddellen) when saving settings. This value is
subsequently used in JavaScript without encoding if the DHCP backend is set to
Kea.

This problem is present on pfSense Plus version 25.11.1, pfSense CE version
2.8.1, and earlier versions of both.

III. Impact

Due to the lack of validation and encoding on the Delegated Length value, the
services_dhcpv6.php page is susceptible to XSS when using the Kea DHCP server
backend. Arbitrary JavaScript could be executed in the user's browser. The
user's session cookie or other information from the session may be compromised.

The page is not susceptible to XSS when using the ISC DHCP backend.

IV.  Workaround

To help mitigate the problem on older releases, use one or more of the
following:

* Limit access to the affected pages to trusted administrators only.
* Do not grant users write access to the configuration unnecessarily.
* Do not log into the firewall with the same browser used for non-
  administrative web browsing.

V.   Solution

Users can upgrade to pfSense Plus software version 26.03 or later, or pfSense CE
software versions after 2.8.1 when available. This upgrade may be performed in
the web interface or from the console.

  See https://docs.netgate.com/pfsense/en/latest/install/upgrade-guide.html

Users on pfSense Plus version 25.11.1 and pfSense CE version 2.8.1 may apply the
fix from the recommended patches list in the System Patches package after
installing or updating the System Patches package.

Users may also manually apply the relevant revisions below using the System
Patches package on earlier versions, or by manually making similar changes to
the affected files if the patches do not apply directly.

  See https://docs.netgate.com/pfsense/en/latest/development/system-patches.html

VI.  Correction details

The following list contains the correction revision commit ID for each affected
item.

Branch/path                                                        Revision
- - -------------------------------------------------------------------------
plus/plus-master                   abe85e63b3b8427eaf8f8f672ae1f3b638763fb2
plus/plus-RELENG_26_03             916b42ee56a2c9f6b94805ae27527fcf83a92f1d
pfSense/master                     abe85e63b3b8427eaf8f8f672ae1f3b638763fb2
- - -------------------------------------------------------------------------

VII. References

<URL:https://redmine.pfsense.org/issues/16744>
<URL:https://docs.netgate.com/pfsense/en/latest/install/upgrade-guide.html>
<URL:https://docs.netgate.com/pfsense/en/latest/development/system-patches.html>

The latest revision of this advisory is available at
<URL:https://docs.netgate.com/downloads/pfSense-SA-26_02.webgui.asc>
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEE40XvjEU56XSUPIMdE7mH/ZIU+NoFAmnMGkkACgkQE7mH/ZIU
+Nqqig/+P+pQo26kKLzZ95I+V8tEin3Un+vAlq3zOuPr67BDXOA6qrWVEfeV3jSV
2Ypuc/yhRpKFeU1nA7xylDuHJ8U8prMqTJcgO3AZd6kBxZ6QjQUOuRnUxEPajYsS
KUyy193knYOqqCYqMUhsdGm79GYGmrh6PdRTLn/azMgoz1SCQnFVVYBhbP0TNXDR
Ub2u8Nr1jaZ/IODlSEVwV5cOKL4C8zawGHBF3bbpHyLsu5+w7VmHQw70vKPYlsEk
jXbM4nzrKUK6cdoQw1uaK4gMLbyxByp2gg6gmH4h3Ph0Tmptm6Oe7JlEdSHzfiz9
AAKEhcCbbFGz7IwYRaLB8zhUJFkocxzgvg5i6KK/GWai/h5GP4FujCwV6jDO42nL
MlJiimfr6SVfb9B7XxCpyj8vf5APhBCFDaW/Gq/t+771Ly7v0cSQu5OpftijHA7v
TiA5p1SLCBTHHyRFaEoH5OnXRPICsaVJrWr2j6mgVk0a8/qtJ/2OJcivObELDwqF
zPV6WE8gGxkJeEerxFzzUxzt6kaCeBxKPrhIOj6sF/GGjr1CAw7rwE9sEmaIe4MR
n0ePjg+aqrCUCBZMXaVfQG9FkxdS4Qw9k7yu+qIapS10wMCcJpahSs3t3195hlGE
3nRJxRXYTeoK1KV8KYzZpT9HCTCKL6QjPrlzTSt9eLLASDdWGEg=
=YC3c
-----END PGP SIGNATURE-----