Description
Smoothwall Express versions prior to 3.1 Update 13 contain a stored cross-site scripting vulnerability in the /cgi-bin/vpnmain.cgi script due to improper sanitation of the VPN_IP parameter. Authenticated attackers can inject arbitrary JavaScript through VPN configuration settings that executes when the affected page is viewed by other users.
Published: 2026-03-30
Score: 5.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Stored Cross‑Site Scripting via VPN_IP parameter
Action: Patch
AI Analysis

Impact

Smoothwall Express versions before 3.1 Update 13 store user‑supplied data in the VPN_IP parameter of the vpnmain.cgi script without proper sanitization. An authenticated attacker who can modify VPN configuration settings can inject arbitrary JavaScript. When the affected page is later viewed by other users, the injected script runs in their browsers, allowing the attacker to steal session cookies, deface the interface, or execute further malicious actions. This vulnerability falls under CWE‑79, a Cross‑Site Scripting weakness.

Affected Systems

The affected product is Smoothwall Express. All releases earlier than version 3.1 Update 13 (i.e., 3.1 Update 12 and earlier) are vulnerable. No newer major releases are listed.

Risk and Exploitability

The CVSS v3.1 score is 5.1, indicating medium severity. The EPSS score is not available, and the vulnerability is not listed in the CISA KEV catalog, suggesting it has not yet been widely exploited. The attack requires legitimate administrative access to modify VPN settings, after which the malicious script can be served to other users who view the VPN page. While the window for exploitation is limited to user sessions that load the vulnerable page, any successful abuse could compromise the confidentiality of credentials and potentially allow further lateral movement if attackers can create additional scripts.

Generated by OpenCVE AI on March 30, 2026 at 18:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the vendor’s update to Smoothwall Express 3.1 Update 13 or later to remove the vulnerability.
  • If a patch cannot be applied immediately, restrict VPN configuration access to trusted administrators and remove any untrusted data from the VPN_IP field before storage.
  • Monitor web interface logs for unexpected JavaScript payloads or repeated failed login attempts in the VPN configuration section.
  • Implement web security hardening such as enabling XSS protection headers, restricting inline scripting, and applying a content security policy.

Generated by OpenCVE AI on March 30, 2026 at 18:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 01 Apr 2026 02:15:00 +0000

Type Values Removed Values Added
First Time appeared Smoothwall
Smoothwall express
Vendors & Products Smoothwall
Smoothwall express

Mon, 30 Mar 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 30 Mar 2026 17:00:00 +0000

Type Values Removed Values Added
Description Smoothwall Express versions prior to 3.1 Update 13 contain a stored cross-site scripting vulnerability in the /cgi-bin/vpnmain.cgi script due to improper sanitation of the VPN_IP parameter. Authenticated attackers can inject arbitrary JavaScript through VPN configuration settings that executes when the affected page is viewed by other users.
Title Smoothwall Express < 3.1 Update 13 Stored XSS in vpnmain.cgi via VPN_IP Parameter
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N'}

cvssV4_0

{'score': 5.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N'}

Subscriptions

Smoothwall Express
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-03-30T18:09:05.294Z

Reserved: 2026-02-13T17:28:43.057Z

Link: CVE-2026-26352

cve-icon Vulnrichment

Updated: 2026-03-30T18:08:53.779Z

cve-icon NVD

Status : Received

Published: 2026-03-30T17:16:14.363

Modified: 2026-03-30T17:16:14.363

Link: CVE-2026-26352

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-31T20:40:39Z

Weaknesses