OPNsense prior to 23.7.5 allows XSS via the index.php column_count parameter to the Lobby Dashboard.
opnsense opnsense