Description
Endian Firewall version 3.3.25 and prior allow stored cross-site scripting (XSS) via the remark parameter to /cgi-bin/vpnfw.cgi. An authenticated attacker can inject arbitrary JavaScript that is stored and executed when other users view the affected page.
Published: 2026-04-02
Score: 5.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Stored Cross‑Site Scripting
Action: Immediate Patch
AI Analysis

Impact

The vulnerability exists in Endian Firewall when processing the remark parameter of the vpnfw.cgi script. An authenticated user can inject arbitrary JavaScript that the system stores and later renders on pages viewed by other users. This stored cross‑site scripting can allow attackers to steal session cookies, deface content, or execute malicious code within the victim’s browser context.

Affected Systems

Affected by this flaw are Endian Firewall 3.3.25 and all earlier releases of the Enterprise line as well as versions 2.1.2, 2.4, and the community edition. Users running any of these versions without a vendor‑issued fix are vulnerable.

Risk and Exploitability

The CVSS score of 5.1 indicates medium severity. The EPSS rate of less than 1% suggests a low probability of exploitation in the wild, and the vulnerability is not in the CISA KEV catalog. Nevertheless, because the attack requires authentication and originates from privileged users, the risk remains non‑zero. An exploit would involve logging in with permission to modify remarks, submitting a payload, and waiting for another user to load the page that displays the stored remark.

Generated by OpenCVE AI on April 7, 2026 at 19:59 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the vendor‑issued patch or upgrade to the latest Endian Firewall version.
  • If a patch is unavailable, reduce the privileges of users who can modify the remark field or disable the remark feature entirely.
  • Implement a Content Security Policy that restricts execution of inline scripts to further mitigate stored XSS.
  • Audit existing remark entries for embedded script tags and remove any suspicious content.
  • Monitor web traffic for unauthorized script execution and review logs for anomalous activity.

Generated by OpenCVE AI on April 7, 2026 at 19:59 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 07 Apr 2026 15:15:00 +0000

Type Values Removed Values Added
First Time appeared Endian firewall Community
CPEs cpe:2.3:a:endian:firewall_community:*:*:*:*:*:*:*:*
Vendors & Products Endian firewall Community

Thu, 02 Apr 2026 20:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 02 Apr 2026 15:15:00 +0000

Type Values Removed Values Added
Description Endian Firewall version 3.3.25 and prior allow stored cross-site scripting (XSS) via the remark parameter to /cgi-bin/vpnfw.cgi. An authenticated attacker can inject arbitrary JavaScript that is stored and executed when other users view the affected page.
Title Endian Firewall /cgi-bin/vpnfw.cgi remark Stored Cross-Site Scripting
First Time appeared Endian
Endian firewall
Weaknesses CWE-79
CPEs cpe:2.3:a:endian:firewall:2.1.2:*:*:*:*:*:*:*
cpe:2.3:a:endian:firewall:2.4:*:*:*:*:*:*:*
cpe:2.3:a:endian:firewall:3.3.25:*:*:*:*:*:*:*
Vendors & Products Endian
Endian firewall
References
Metrics cvssV3_1

{'score': 6.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N'}

cvssV4_0

{'score': 5.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N'}

Subscriptions

Endian Firewall Firewall Community
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-04-02T15:39:48.431Z

Reserved: 2026-03-30T20:26:18.725Z

Link: CVE-2026-34810

cve-icon Vulnrichment

Updated: 2026-04-02T15:39:38.373Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-02T15:16:48.707

Modified: 2026-04-07T14:26:39.693

Link: CVE-2026-34810

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-08T19:55:52Z

Weaknesses