-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

=============================================================================
pfSense-SA-26_03.webgui                                     Security Advisory
                                                                      pfSense

Topic:          Stored XSS in diag_arp.php when using ISC DHCP

Category:       pfSense Base System
Module:         webgui
Announced:      2026-04-01
Credits:        Romain DEPERNE
Affects:        pfSense Plus software versions <= 26.03
                pfSense CE software versions <= 2.8.1
Corrected:      2026-03-27 16:07:30 UTC (pfSense Plus master, 26.07)
                2026-03-27 16:07:30 UTC (pfSense CE master, 2.9.0)

0.   Revision History

v1.0  2026-04-01 Initial SA draft

I.   Background

pfSense® software is a free network firewall distribution based on the
FreeBSD operating system.  The pfSense software distribution includes third-
party free software packages for additional functionality, and provides most of
the functionality of common commercial firewalls.

pfSense® Plus is the productized version of pfSense software from Netgate®,
previously referred to as pfSense Factory Edition (FE). It is available to
Netgate appliance and CSP customers.

The majority of users of pfSense software have never installed or used a stock
FreeBSD system.  Unlike similar GNU/Linux-based firewall distributions, there
is no need for any UNIX knowledge.  The command line is never used, and there
is no need to ever manually edit any rule sets. Instead, pfSense software
includes a web interface for the configuration of all included components.
Users familiar with commercial firewalls will quickly understand the web
interface, while those unfamiliar with commercial-grade firewalls may encounter
a short learning curve.

II.  Problem Description

A potential stored Cross-Site Scripting (XSS) vulnerability was identified in
diag_arp.php, a component of the pfSense Plus and pfSense CE software GUI, in
conjunction with having the ISC DHCP backend configured and active.

A malicious DHCP client on a local network connected to an interface with ISC
DHCP service active can send a specially-crafted hostname containing an XSS
payload. The ISC DHCP daemon will accept that hostname and store it in the
lease database.

The diag_arp.php page can read these hostnames directly from the DCHP lease
database, and it does not perform encoding on the hostnames when it prints them
for ARP table entries.

This problem is present on pfSense Plus version 26.03, pfSense CE version 2.8.1,
and earlier versions of both.

III. Impact

Due to the lack of validation and encoding on the hostname contents, the
diag_arp.php page is susceptible to XSS when using the ISC DHCP server
backend. Arbitrary JavaScript could be executed in the user's browser. The
user's session cookie or other information from the session may be compromised.

This does not affect the Kea DHCP backend as it properly cleans up the hostname
of any invalid characters before storing the value, rendering it inert.

IV.  Workaround

To help mitigate the problem on older releases, use one or more of the
following:

* Change to the Kea DHCP Backend
* Do not log into the firewall with the same browser used for non-
  administrative web browsing.

V.   Solution

Users can upgrade to pfSense Plus software version 26.07 or later, or pfSense CE
software versions after 2.8.1 when available. This upgrade may be performed in
the web interface or from the console.

  See https://docs.netgate.com/pfsense/en/latest/install/upgrade-guide.html

Users on pfSense Plus versions 26.03 or 25.11.1, and pfSense CE version 2.8.1
may apply the fix from the recommended patches list in the System Patches
package after installing or updating the System Patches package.

Users may also manually apply the relevant revisions below using the System
Patches package on earlier versions, or by manually making similar changes to
the affected files if the patches do not apply directly.

  See https://docs.netgate.com/pfsense/en/latest/development/system-patches.html

VI.  Correction details

The following list contains the correction revision commit ID for each affected
item.

Branch/path                                                        Revision
- - -------------------------------------------------------------------------
plus/plus-master                   228b2a0e66d97abcae2dd5b8c2c91e76620bea20
pfSense/master                     228b2a0e66d97abcae2dd5b8c2c91e76620bea20
- - -------------------------------------------------------------------------

VII. References

<URL:https://redmine.pfsense.org/issues/16763>
<URL:https://docs.netgate.com/pfsense/en/latest/install/upgrade-guide.html>
<URL:https://docs.netgate.com/pfsense/en/latest/development/system-patches.html>

The latest revision of this advisory is available at
<URL:https://docs.netgate.com/downloads/pfSense-SA-26_03.webgui.asc>
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEE40XvjEU56XSUPIMdE7mH/ZIU+NoFAmnMGk0ACgkQE7mH/ZIU
+Nqlrg/+NY6a2sB5csBHFNGsOkXs19XamXv28PKAcIqL5VEvbwE9/DIVrHhS6s6P
QPpwH17hlGoRhdwDBYi9WKKsBtu6eW32WSwoNlYDUvLHNaKec1Zqx3PGuxeW02YE
CfAzepCHKsXIIKpbbkmH7e60ThD2h/dRKOOBr3JQef8qqoQ0+LENCmlOSPkzmZ9+
1XulTrw1agovDn23BvdHFO2dHY/OssdPf7KvTBl9Jvm8A90ryyaOL1BZCbN5DW/n
qrlArcawXBc7H9Zgfg/dnFMZQaqpXsYVC+tDz+pMLrBEh8kRuZ11qKcOugQjCpiQ
bWEtw5qwjeAEVczUTk4Cp0pBeZ4rmCDHI/u2GVuZhYsYvbvn7mb487eWj74IueXT
9Bj+KueGsQgmMPPnYNty+cLSfiQjG8fZsG/x0aBGasETX2gQULwQIk25SB48TLOi
oBsqvauGcMynjRsiqSzsRL4FduJ4oCDI7LhYwlJ7Yu/Nafre0yY0MHA+Iy+IWaMm
YAoX1Ix+OiXpUFI9qXo6o8mnMt5aK6ZL2Uz9ILfBu7cmvQacxabcbn/EiPUwz6Dy
Wa2EFS41ehTvjZ6Bj9kJ7J7oq2CDNAcvpEbno/pRZ/nCpjrsphu6ejAVl7refx4D
Ax99ZzHD4V0GbVFY9BCbQIVT+fPvgp3V+OzEqTCDChuw+8f58n0=
=2SuI
-----END PGP SIGNATURE-----