Description
Endian Firewall version 3.3.25 and prior allow stored cross-site scripting (XSS) via the DOMAIN parameter to /cgi-bin/smtpdomains.cgi. An authenticated attacker can inject arbitrary JavaScript that is stored and executed when other users view the affected page.
Published: 2026-04-02
Score: 5.1 Medium
EPSS: n/a
KEV: No
Impact: Stored Cross‑Site Scripting
Action: Immediate Patch
AI Analysis

Impact

The vulnerability permits an authenticated attacker to inject arbitrary JavaScript through the DOMAIN parameter in /cgi-bin/smtpdomains.cgi. The injected code is stored on the system and executed when other users view the affected page, enabling client‑side code execution. Based on the description, it is inferred that this could allow an attacker to steal session data, hijack credentials, or launch further web‑based attacks against users of the firewall interface.

Affected Systems

Endian Firewall installations running version 3.3.25 or earlier, as well as builds based on the 2.4 series and the 2.1.2 series, are affected. The flaw exists in the web interface that handles SMTP domain configuration and is present across all releases matching the provided CPE identifiers.

Risk and Exploitability

The CVSS score of 5.1 indicates moderate severity. EPSS information is not available, and the vulnerability is not listed in the CISA KEV catalog. The likely attack vector requires an authenticated user to submit a crafted DOMAIN value via the web UI. Once injected, the script runs for all users who access the page, creating a risk to confidentiality and potentially to the integrity of configuration data. The absence of exploit probability data means the threat level must be judged based on the vulnerability’s nature and the environment’s exposure.

Generated by OpenCVE AI on April 2, 2026 at 17:06 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update to the latest Endian Firewall release that removes the stored‑XSS vulnerability
  • Restrict access to the /cgi-bin/smtpdomains.cgi endpoint to only trusted administrative users
  • Validate the DOMAIN input to reject or encode any JavaScript payloads before storing them
  • Monitor logs for unauthorized POST requests to the SMTP domains endpoint

Generated by OpenCVE AI on April 2, 2026 at 17:06 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 02 Apr 2026 20:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 02 Apr 2026 15:15:00 +0000

Type Values Removed Values Added
Description Endian Firewall version 3.3.25 and prior allow stored cross-site scripting (XSS) via the DOMAIN parameter to /cgi-bin/smtpdomains.cgi. An authenticated attacker can inject arbitrary JavaScript that is stored and executed when other users view the affected page.
Title Endian Firewall /cgi-bin/smtpdomains.cgi DOMAIN Stored Cross-Site Scripting
First Time appeared Endian
Endian firewall
Weaknesses CWE-79
CPEs cpe:2.3:a:endian:firewall:2.1.2:*:*:*:*:*:*:*
cpe:2.3:a:endian:firewall:2.4:*:*:*:*:*:*:*
cpe:2.3:a:endian:firewall:3.3.25:*:*:*:*:*:*:*
Vendors & Products Endian
Endian firewall
References
Metrics cvssV3_1

{'score': 6.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N'}

cvssV4_0

{'score': 5.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N'}

Subscriptions

Endian Firewall
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-04-02T18:38:27.441Z

Reserved: 2026-03-30T20:26:18.726Z

Link: CVE-2026-34815

cve-icon Vulnrichment

Updated: 2026-04-02T18:38:23.766Z

cve-icon NVD

Status : Received

Published: 2026-04-02T15:16:49.817

Modified: 2026-04-02T15:16:49.817

Link: CVE-2026-34815

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-02T20:20:29Z

Weaknesses