Description
Endian Firewall version 3.3.25 and prior allow stored cross-site scripting (XSS) via the remark parameter to /cgi-bin/zonefw.cgi. An authenticated attacker can inject arbitrary JavaScript that is stored and executed when other users view the affected page.
Published: 2026-04-02
Score: 5.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Stored Cross‑Site Scripting
Action: Patch Immediately
AI Analysis

Impact

An authenticated user can supply arbitrary JavaScript to the remark field that is stored and later executed whenever other users view the affected page. This stored cross‑site scripting flaw, characterized by CWE‑79, allows the attacker to inject client‑side code that can manipulate the web interface, deface content, or harvest session cookies and other sensitive data from other users’ browsers.

Affected Systems

The vulnerability affects Endian Firewall software. Versions 3.3.25 and all earlier releases—including cpe:2.3:a:endian:firewall:2.1.2, cpe:2.3:a:endian:firewall:2.4, cpe:2.3:a:endian:firewall:3.3.25, and the community build cpe:2.3:a:endian:firewall_community—are susceptible. Administrators should verify whether their deployment is running any of these affected releases.

Risk and Exploitability

With a CVSS score of 5.1 the flaw presents moderate severity. The EPSS score indicates a probability of exploitation below 1%, and it is not listed in the CISA KEV catalog. Exploitation requires an authenticated session on the web interface; once authenticated, an attacker can store malicious JavaScript and affect all other users who view the zone firewall page.

Generated by OpenCVE AI on April 7, 2026 at 19:59 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • When an official Endian Firewall patch or update that addresses the stored XSS in /cgi-bin/zonefw.cgi becomes available, apply it immediately.
  • If no patch is currently released, temporarily disable or tightly restrict access to /cgi-bin/zonefw.cgi for non‑essential users or remove the remark functionality altogether.
  • Verify the installed firmware version and upgrade to a supported release if the system is running 3.3.25 or older.
  • Implement server‑side input sanitization for the remark parameter to encode or strip JavaScript characters.
  • Monitor firewall logs for unexpected JavaScript execution or suspicious input patterns.

Generated by OpenCVE AI on April 7, 2026 at 19:59 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 07 Apr 2026 15:15:00 +0000

Type Values Removed Values Added
First Time appeared Endian firewall Community
CPEs cpe:2.3:a:endian:firewall_community:*:*:*:*:*:*:*:*
Vendors & Products Endian firewall Community

Thu, 02 Apr 2026 20:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 02 Apr 2026 15:15:00 +0000

Type Values Removed Values Added
Description Endian Firewall version 3.3.25 and prior allow stored cross-site scripting (XSS) via the remark parameter to /cgi-bin/zonefw.cgi. An authenticated attacker can inject arbitrary JavaScript that is stored and executed when other users view the affected page.
Title Endian Firewall /cgi-bin/zonefw.cgi remark Stored Cross-Site Scripting
First Time appeared Endian
Endian firewall
Weaknesses CWE-79
CPEs cpe:2.3:a:endian:firewall:2.1.2:*:*:*:*:*:*:*
cpe:2.3:a:endian:firewall:2.4:*:*:*:*:*:*:*
cpe:2.3:a:endian:firewall:3.3.25:*:*:*:*:*:*:*
Vendors & Products Endian
Endian firewall
References
Metrics cvssV3_1

{'score': 6.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N'}

cvssV4_0

{'score': 5.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N'}

Subscriptions

Endian Firewall Firewall Community
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-04-02T18:38:54.294Z

Reserved: 2026-03-30T20:26:18.725Z

Link: CVE-2026-34809

cve-icon Vulnrichment

Updated: 2026-04-02T18:38:47.113Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-02T15:16:48.497

Modified: 2026-04-07T14:28:39.050

Link: CVE-2026-34809

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-08T19:55:54Z

Weaknesses