Description
Endian Firewall version 3.3.25 and prior allow stored cross-site scripting (XSS) via the remark parameter to /manage/dhcp/fixed_leases/. An authenticated attacker can inject arbitrary JavaScript that is stored and executed when other users view the affected page.
Published: 2026-04-02
Score: 5.1 Medium
EPSS: n/a
KEV: No
Impact: Stored Cross‑Site Scripting execution
Action: Apply Patch
AI Analysis

Impact

A stored cross‑site scripting flaw allows an authenticated user to inject arbitrary JavaScript into the remark field on the /manage/dhcp/fixed_leases/ page. The injected script is then persisted and executed in the browsers of any user who views the page, potentially enabling session hijacking, credential theft, or defacement. The weakness is the classic stored XSS defect identified as CWE‑79.

Affected Systems

Endian Firewall appliances running version 3.3.25 and earlier, as well as certain 2.1.2 and 2.4 releases, are susceptible to this vulnerability. The affected software releases are explicitly listed in Endian’s documentation and the corresponding CPE entries.

Risk and Exploitability

The CVSS score of 5.1 indicates moderate severity. Because the flaw requires authentication, exploitation is likely limited to attackers that can log into the administrative interface or have compromised legitimate administrative credentials, which may be local or remote depending on network configuration. No EPSS score is available, and the vulnerability is not listed in CISA’s KEV catalog, so while a known exploit is not documented, the potential exists. Administrators should treat this as a moderate to high risk if privileged accounts are not tightly controlled.

Generated by OpenCVE AI on April 2, 2026 at 16:23 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest Endian Firewall update that resolves the XSS defect.
  • If a patch is not yet available, restrict administrative access to trusted network segments and enforce strong authentication.
  • Monitor the /manage/dhcp/fixed_leases/ page for unexpected JavaScript execution or unusual user activity.
  • Regularly check Endian’s support site for new patches or advisories.

Generated by OpenCVE AI on April 2, 2026 at 16:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 02 Apr 2026 20:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 02 Apr 2026 15:15:00 +0000

Type Values Removed Values Added
Description Endian Firewall version 3.3.25 and prior allow stored cross-site scripting (XSS) via the remark parameter to /manage/dhcp/fixed_leases/. An authenticated attacker can inject arbitrary JavaScript that is stored and executed when other users view the affected page.
Title Endian Firewall /manage/dhcp/fixed_leases/ remark Stored Cross-Site Scripting
First Time appeared Endian
Endian firewall
Weaknesses CWE-79
CPEs cpe:2.3:a:endian:firewall:2.1.2:*:*:*:*:*:*:*
cpe:2.3:a:endian:firewall:2.4:*:*:*:*:*:*:*
cpe:2.3:a:endian:firewall:3.3.25:*:*:*:*:*:*:*
Vendors & Products Endian
Endian firewall
References
Metrics cvssV3_1

{'score': 6.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N'}

cvssV4_0

{'score': 5.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N'}

Subscriptions

Endian Firewall
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-04-02T15:25:39.992Z

Reserved: 2026-03-30T20:26:18.725Z

Link: CVE-2026-34801

cve-icon Vulnrichment

Updated: 2026-04-02T15:25:35.721Z

cve-icon NVD

Status : Received

Published: 2026-04-02T15:16:46.480

Modified: 2026-04-02T15:16:46.480

Link: CVE-2026-34801

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-02T20:20:42Z

Weaknesses