Description
Endian Firewall version 3.3.25 and prior allow stored cross-site scripting (XSS) via the remark parameter to /cgi-bin/xtaccess.cgi. An authenticated attacker can inject arbitrary JavaScript that is stored and executed when other users view the affected page.
Published: 2026-04-02
Score: 5.1 Medium
EPSS: n/a
KEV: No
Impact: Stored Cross‑Site Scripting (arbitrary JavaScript execution)
Action: Patch
AI Analysis

Impact

This vulnerability allows an authenticated administrator to place arbitrary JavaScript into the remark field of /cgi-bin/xtaccess.cgi. The input is stored by the firewall and then executed whenever any user views the affected page, providing a stored XSS flaw. The weakness corresponds to CWE‑79, which can lead to session hijacking, data exfiltration, or defacement of the web interface.

Affected Systems

Endpoint machines running Endian Firewall versions 3.3.25 and all earlier releases (including 2.1.2 and 2.4) are affected. The vulnerable functionality is the /cgi-bin/xtaccess.cgi script, which accepts a remark parameter that can be manipulated by users with sufficient privileges.

Risk and Exploitability

With a CVSS score of 5.1 the flaw is of moderate severity. Exploitation requires successful authentication and the ability to edit a remark entry, and the vulnerability is not currently listed in the CISA KEV catalog. Though EPSS data is not available, the stored nature of the payload means that once an attacker injects code it can affect multiple users until the remark is removed or rewritten, thereby increasing the potential impact over time.

Generated by OpenCVE AI on April 2, 2026 at 17:07 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest Endian Firewall firmware update that removes the vulnerability.
  • If an update is not immediately available, restrict or disable the /cgi-bin/xtaccess.cgi endpoint for users who do not require access.
  • Ensure that only trusted administrators have permission to modify remark entries.
  • Implement WAF rules to detect and block script payloads sent to /cgi-bin/xtaccess.cgi.
  • Monitor logs for unexpected script execution or abnormal remark input attempts.

Generated by OpenCVE AI on April 2, 2026 at 17:07 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 02 Apr 2026 15:15:00 +0000

Type Values Removed Values Added
Description Endian Firewall version 3.3.25 and prior allow stored cross-site scripting (XSS) via the remark parameter to /cgi-bin/xtaccess.cgi. An authenticated attacker can inject arbitrary JavaScript that is stored and executed when other users view the affected page.
Title Endian Firewall /cgi-bin/xtaccess.cgi remark Stored Cross-Site Scripting
First Time appeared Endian
Endian firewall
Weaknesses CWE-79
CPEs cpe:2.3:a:endian:firewall:2.1.2:*:*:*:*:*:*:*
cpe:2.3:a:endian:firewall:2.4:*:*:*:*:*:*:*
cpe:2.3:a:endian:firewall:3.3.25:*:*:*:*:*:*:*
Vendors & Products Endian
Endian firewall
References
Metrics cvssV3_1

{'score': 6.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N'}

cvssV4_0

{'score': 5.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N'}

Subscriptions

Endian Firewall
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-04-02T16:22:37.720Z

Reserved: 2026-03-30T20:26:18.725Z

Link: CVE-2026-34811

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-04-02T15:16:48.917

Modified: 2026-04-02T15:16:48.917

Link: CVE-2026-34811

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-02T20:20:33Z

Weaknesses