Cyber Resilience

CVE-2026-45158

Critical

Published: 13 May 2026

Published
13 May 2026
Modified
15 May 2026
KEV Added
Patch
CVSS Score v3.1 9.1 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
EPSS Score 0.0053 40.9th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2026-45158 is a critical-severity Argument Injection (CWE-88) vulnerability in Opnsense Opnsense. Its CVSS base score is 9.1 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 40.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

OPNsense is a FreeBSD based firewall and routing platform. Prior to 26.1.8, unsanitized user input is passed to the DHCP configuration of the configured interface, which is processed by a shell script, allowing remote code execution as root on the…

more

underlying operating system. This vulnerability is fixed in 26.1.8.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1059.004 Unix Shell Execution
Adversaries may abuse Unix shell commands and scripts for execution.
Why these techniques?

Unsanitized input to DHCP config processed by shell script enables RCE as root on public-facing firewall (T1190); execution occurs via Unix shell (T1059.004).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-44193Same product: Opnsense Opnsense
CVE-2026-44194Same product: Opnsense Opnsense
CVE-2025-50989Same product: Opnsense Opnsense
CVE-2026-34578Same product: Opnsense Opnsense
CVE-2026-30868Same product: Opnsense Opnsense
CVE-2026-24126Shared CWE-88
CVE-2026-25134Shared CWE-88
CVE-2026-40281Shared CWE-88
CVE-2026-22582Shared CWE-88
CVE-2026-39884Shared CWE-88

Affected Assets

opnsense
opnsense
≤ 26.1.8

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References