Description
Endian Firewall version 3.3.25 and prior allow stored cross-site scripting (XSS) via the ADDRESS BCC parameter to /cgi-bin/smtprouting.cgi. An authenticated attacker can inject arbitrary JavaScript that is stored and executed when other users view the affected page.
Published: 2026-04-02
Score: 5.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Stored Cross‑Site Scripting
Action: Apply Patch
AI Analysis

Impact

The vulnerability is a stored cross‑site scripting flaw in the ADDRESS BCC field of /cgi-bin/smtprouting.cgi. An attacker with valid credentials can embed JavaScript that is saved in the system. When other users load the page, the script runs in their browsers, exposing them to session hijacking, credential theft, or malicious redirects. This aligns with CWE‑79.

Affected Systems

Endian Firewall versions 3.3.25 and earlier, including 2.1.2, 2.4, 3.3.25, and the community edition, are affected. The flaw exists in the firewalls running those builds.

Risk and Exploitability

The CVSS base score of 5.1 indicates moderate severity. The EPSS score is below 1 %, showing low likelihood of exploitation currently. The vulnerability is not listed in the CISA KEV catalog. Exploitation requires having authenticated access to the firewall administration interface; once logged in, an attacker can inject the payload through the ADDRESS BCC field of the SMTP routing configuration. The attacker’s impact is limited to browsers of users who view the modified page.

Generated by OpenCVE AI on April 6, 2026 at 19:43 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest Endian Firewall patch or upgrade to a version where the vulnerability is fixed (e.g., 3.3.26+).
  • Restrict administrative access to trusted users and network segments.

Generated by OpenCVE AI on April 6, 2026 at 19:43 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 06 Apr 2026 16:45:00 +0000

Type Values Removed Values Added
First Time appeared Endian firewall Community
CPEs cpe:2.3:a:endian:firewall_community:*:*:*:*:*:*:*:*
Vendors & Products Endian firewall Community

Thu, 02 Apr 2026 15:15:00 +0000

Type Values Removed Values Added
Description Endian Firewall version 3.3.25 and prior allow stored cross-site scripting (XSS) via the ADDRESS BCC parameter to /cgi-bin/smtprouting.cgi. An authenticated attacker can inject arbitrary JavaScript that is stored and executed when other users view the affected page.
Title Endian Firewall /cgi-bin/smtprouting.cgi ADDRESS BCC Stored Cross-Site Scripting
First Time appeared Endian
Endian firewall
Weaknesses CWE-79
CPEs cpe:2.3:a:endian:firewall:2.1.2:*:*:*:*:*:*:*
cpe:2.3:a:endian:firewall:2.4:*:*:*:*:*:*:*
cpe:2.3:a:endian:firewall:3.3.25:*:*:*:*:*:*:*
Vendors & Products Endian
Endian firewall
References
Metrics cvssV3_1

{'score': 6.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N'}

cvssV4_0

{'score': 5.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N'}

Subscriptions

Endian Firewall Firewall Community
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-04-02T16:22:30.054Z

Reserved: 2026-03-30T20:26:18.726Z

Link: CVE-2026-34817

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Analyzed

Published: 2026-04-02T15:16:50.310

Modified: 2026-04-06T16:12:17.587

Link: CVE-2026-34817

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-07T07:56:11Z

Weaknesses