I did my homework before asking. No CUPS package to be found in OPNsense and no port 631 listening.
However, since *BSD is potentially affected, I would like to confirm that there is indeed no risk for OPNsense. Could any third-party package install CUPS?
Thank you.
You can probably install cups if you want to, but I don't see why you would.
For the packages in the OpnSense repository, Deciso will bring updates if/when that is needed.
Once you enable other repos (inlcuding the official FreeBSD ones), YMMV.
I think there are bigger potential risks than to deliberately install a package on a firewall that does not belong there, like using a package and missing vital points, such as: "When I install squid and enable it for any interface (possibly because I want to filter traffic), it is able to access any other VLAN despite firewall rules saying some VLANs are restricted."