CVE-2025-34174

Name of the Vulnerable Software and Affected Versions: pfSense CE (affected versions not specified)

Description: The start-day parameter in /usr/local/www/status traffic totals.php does not undergo proper validation to ensure it is a numeric value or sanitized of HTML-related characters before being displayed. This can lead to stored cross-site scripting (XSS) where an attacker can save a malicious value as the default display for all users visiting the Status Traffic Totals page. An attacker must have at least “WebCfg - Status: Traffic Totals” permissions to exploit this issue.

Recommendations: At the moment, there is no information about a newer version that contains a fix for this vulnerability.