Description
Endian Firewall version 3.3.25 and prior allow stored cross-site scripting (XSS) via the name parameter to /manage/qos/classes/. An authenticated attacker can inject arbitrary JavaScript that is stored and executed when other users view the affected page.
Published: 2026-04-02
Score: 5.1 Medium
EPSS: n/a
KEV: No
Impact: Stored Cross‑Site Scripting allowing arbitrary JavaScript execution in victim browsers
Action: Patch
AI Analysis

Impact

Endian Firewall versions up to 3.3.25 contain a stored cross‑site scripting flaw in the /manage/qos/classes/ name parameter. An authenticated attacker can submit arbitrary JavaScript that is saved to the database and later runs in the browser of any user who views the page, effectively executing code with the victim’s privileges within the web interface.

Affected Systems

Endian Firewall releases 2.1.2, 2.4, and 3.3.25 are affected. These versions expose the /manage/qos/classes/ endpoint for which the name field is not properly validated or encoded.

Risk and Exploitability

The CVSS score of 5.1 indicates moderate severity. Because an attacker must first authenticate, the attack vector is limited to users with legitimate credentials. Exploitation requires access to the management interface; the vulnerability is not listed in the CISA KEV catalog, and an EPSS score is not available, suggesting limited public exploitation. Affected users will see the injected script execute whenever they load the QoS classes page, granting the attacker the same permissions as the viewing user.

Generated by OpenCVE AI on April 2, 2026 at 17:08 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Endian Firewall to a patched version that removes the stored XSS flaw.
  • If a patch is not yet available, restrict access to the /manage/qos/classes/ page to trusted administrators only.
  • Apply server‑side input validation or encoding to the name parameter before storing it.
  • Monitor application logs for unexpected script injections or abnormal user activity.

Generated by OpenCVE AI on April 2, 2026 at 17:08 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 02 Apr 2026 20:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 02 Apr 2026 15:15:00 +0000

Type Values Removed Values Added
Description Endian Firewall version 3.3.25 and prior allow stored cross-site scripting (XSS) via the name parameter to /manage/qos/classes/. An authenticated attacker can inject arbitrary JavaScript that is stored and executed when other users view the affected page.
Title Endian Firewall /manage/qos/classes/ name Stored Cross-Site Scripting
First Time appeared Endian
Endian firewall
Weaknesses CWE-79
CPEs cpe:2.3:a:endian:firewall:2.1.2:*:*:*:*:*:*:*
cpe:2.3:a:endian:firewall:2.4:*:*:*:*:*:*:*
cpe:2.3:a:endian:firewall:3.3.25:*:*:*:*:*:*:*
Vendors & Products Endian
Endian firewall
References
Metrics cvssV3_1

{'score': 6.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N'}

cvssV4_0

{'score': 5.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N'}

Subscriptions

Endian Firewall
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-04-02T18:39:19.965Z

Reserved: 2026-03-30T20:26:18.725Z

Link: CVE-2026-34803

cve-icon Vulnrichment

Updated: 2026-04-02T18:39:15.745Z

cve-icon NVD

Status : Received

Published: 2026-04-02T15:16:47.030

Modified: 2026-04-02T15:16:47.030

Link: CVE-2026-34803

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-02T20:20:40Z

Weaknesses