-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

=============================================================================
pfSense-SA-26_04.webgui                                     Security Advisory
                                                                      pfSense

Topic:          XSS in RSS Dashboard widget feed content post titles

Category:       pfSense Base System
Module:         webgui
Announced:      2026-04-01
Credits:        Ivan Lepies
Affects:        pfSense Plus software versions <= 26.03
                pfSense CE software versions <= 2.8.1
Corrected:      2026-03-31 18:27:18 UTC (pfSense Plus master, 26.07)
                2026-03-31 18:33:44 UTC (pfSense CE master, 2.9.0)

0.   Revision History

v1.0  2026-04-01 Initial SA draft

I.   Background

pfSense® software is a free network firewall distribution based on the
FreeBSD operating system.  The pfSense software distribution includes third-
party free software packages for additional functionality, and provides most of
the functionality of common commercial firewalls.

pfSense® Plus is the productized version of pfSense software from Netgate®,
previously referred to as pfSense Factory Edition (FE). It is available to
Netgate appliance and CSP customers.

The majority of users of pfSense software have never installed or used a stock
FreeBSD system.  Unlike similar GNU/Linux-based firewall distributions, there
is no need for any UNIX knowledge.  The command line is never used, and there
is no need to ever manually edit any rule sets. Instead, pfSense software
includes a web interface for the configuration of all included components.
Users familiar with commercial firewalls will quickly understand the web
interface, while those unfamiliar with commercial-grade firewalls may encounter
a short learning curve.

II.  Problem Description

A potential stored Cross-Site Scripting (XSS) vulnerability was identified in
the RSS Dashboard widget, rss.widget.php, a component of the pfSense Plus and
pfSense CE software GUI, from feed content post titles.

A malicious feed configured in the RSS widget could deliver a specially crafted
post title containing an XSS payload. The RSS widget will read the feed and
cache the content, and display it to dashboard users.

This problem is present on pfSense Plus version 26.03, pfSense CE version 2.8.1,
and earlier versions of both.

III. Impact

Due to the lack of validation and encoding on the RSS feed post title, the
rss.widget.php widget is susceptible to XSS from untrusted feed sources.
Arbitrary JavaScript could be executed in the user's browser. The user's session
cookie or other information from the session may be compromised.

This only affects users with the RSS Dashboard widget active and configured with
an untrustworthy feed.

IV.  Workaround

To help mitigate the problem on older releases, use one or more of the
following:

* Remove any untrusted feeds from the RSS widget
* Remove the RSS feed widget from the dashboard

V.   Solution

Users can upgrade to pfSense Plus software version 26.07 or later, or pfSense CE
software versions after 2.8.1 when available. This upgrade may be performed in
the web interface or from the console.

  See https://docs.netgate.com/pfsense/en/latest/install/upgrade-guide.html

Users on pfSense Plus versions 26.03 or 25.11.1, and pfSense CE version 2.8.1
may apply the fix from the recommended patches list in the System Patches
package after installing or updating the System Patches package.

Users may also manually apply the relevant revisions below using the System
Patches package on earlier versions, or by manually making similar changes to
the affected files if the patches do not apply directly.

  See https://docs.netgate.com/pfsense/en/latest/development/system-patches.html

VI.  Correction details

The following list contains the correction revision commit ID for each affected
item.

Branch/path                                                        Revision
- - -------------------------------------------------------------------------
plus/plus-master                   9363ac5b8651a1c7a333180425ce7719070f95f9
pfSense/master                     9363ac5b8651a1c7a333180425ce7719070f95f9
- - -------------------------------------------------------------------------

VII. References

<URL:https://redmine.pfsense.org/issues/16770>
<URL:https://docs.netgate.com/pfsense/en/latest/install/upgrade-guide.html>
<URL:https://docs.netgate.com/pfsense/en/latest/development/system-patches.html>

The latest revision of this advisory is available at
<URL:https://docs.netgate.com/downloads/pfSense-SA-26_04.webgui.asc>
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEE40XvjEU56XSUPIMdE7mH/ZIU+NoFAmnMGwMACgkQE7mH/ZIU
+NonOA//dNWsD67T31syd1CjD/skBbcScrGMExkfENsbnpVDlAWYF4g0wJqUuR0q
9mr9zOZJVsMzUsI46nScVatB7Ex+q1C0wuFulN4AeleQ0vKua3p7A7xI9OT78yRT
9Q8e8BAKm6FUkAn2nQXn3Ps6MB0uJo8fBuxUmRioQjYlP6eX2uTQaWDRzCZSl8Lh
it82KgLIO6ZopF1g51zrLUXyRF+toWS8RbkwTdzxRwvWzDPJ9GHJ8rdtnDgG33V6
mtri9AYrk/h+d3vm/EDwrXkC4fDLjW4rPYDYAGNKOK1kGURrd06MrmRHjF+GoyjI
zhl2vae3v0Il8mOLgii48az61+g8poNfmQb+N1Q4jCz7cYo7Rwk2nalxLYst4lYr
6CIFTE4rpMx+SQyfMsz0NfZMOPsFsX6Xm0ycqnfVBBNkd005sVzhkHTRpuq3jnVz
17aAUkimtELXsjV8xqwqWXaDDltYQF+6dRLfnx9fTQvitMQPc6Pg/PS8cCiGx2ss
XQuK5ZjsEodc/uYGIwVwKotFc5iYXX9irqsRT854bSvgJac7ZNcFheR7knFTXVQ/
Lb5bV2J6g2feTo30IrzTiwEOwrP2KAW6zRAnAHFz++zpUCHNbUOHVfRZEgsePdGj
6nT/ntKzc9liUN/0e+JCDU5SyDJo9ML4sOHuCw9O1p2rUj/o67Q=
=ZyWh
-----END PGP SIGNATURE-----