CVE-2025-34175
MediumCVSS 6.1Exploitation Probability (EPSS)
Very high risk96th percentile - higher than 96% of all known CVEs
Summary
In pfSense CE, the file /usr/local/www/suricata/suricata_filecheck.php directly displays the value of the filehash parameter without sanitizing HTML-related characters/strings. This can result in reflected cross-site scripting (XSS) if the victim is authenticated.
Risk Assessment
The risk involves the execution of a malicious script in the browser of an authenticated administrator, potentially leading to session theft, configuration modification, or further network attacks.
Recommendation
Immediately update pfSense CE to the latest patched version and apply proper input filtering and output encoding for the filehash parameter.
Original NVD description (English source)
In pfSense CE /usr/local/www/suricata/suricata_filecheck.php, the value of the filehash parameter is directly displayed without sanitizing for HTML-related characters/strings. This can result in reflected cross-site scripting if the victim is authenticated.

