CVE-2026-26352
Stored XSS in Smoothwall Express vpnmain.cgi Allows Script Injection
Publication date: 2026-03-30
Last updated on: 2026-04-14
Assigner: VulnCheck
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| smoothwall | smoothwall_express | to 3.0 (inc) |
| smoothwall | smoothwall_express | 3.1 |
| smoothwall | smoothwall_express | 3.1 |
| smoothwall | smoothwall_express | 3.1 |
| smoothwall | smoothwall_express | 3.1 |
| smoothwall | smoothwall_express | 3.1 |
| smoothwall | smoothwall_express | 3.1 |
| smoothwall | smoothwall_express | 3.1 |
| smoothwall | smoothwall_express | 3.1 |
| smoothwall | smoothwall_express | 3.1 |
| smoothwall | smoothwall_express | 3.1 |
| smoothwall | smoothwall_express | 3.1 |
| smoothwall | smoothwall_express | 3.1 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-26352 is a stored cross-site scripting (XSS) vulnerability found in Smoothwall Express versions prior to 3.1 Update 13. It exists in the /cgi-bin/vpnmain.cgi script due to improper sanitization of the VPN_IP parameter.
Authenticated attackers can exploit this flaw by injecting arbitrary JavaScript code through VPN configuration settings. This malicious script then executes when other users view the affected page, potentially compromising their security.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided information does not specify how the stored cross-site scripting vulnerability in Smoothwall Express affects compliance with common standards and regulations such as GDPR or HIPAA.
How can this vulnerability impact me? :
This vulnerability allows an authenticated attacker to inject and execute arbitrary JavaScript code in the context of other users viewing the affected page.
- It can lead to unauthorized actions performed on behalf of other users.
- It may result in theft of sensitive information such as session tokens or credentials.
- The attack complexity is low, and it requires only authenticated access, making it a medium severity risk.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by checking for the presence of the stored cross-site scripting issue in the /cgi-bin/vpnmain.cgi script, specifically by examining the VPN_IP parameter in VPN configuration settings for injected JavaScript code.
Since the vulnerability involves improper sanitization of the VPN_IP parameter, detection can involve reviewing VPN configuration inputs or monitoring HTTP requests and responses to /cgi-bin/vpnmain.cgi for suspicious or unexpected JavaScript code.
No specific commands are provided in the available resources to detect this vulnerability directly.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include upgrading Smoothwall Express to version 3.1 Update 13 or later, where this vulnerability is fixed.
Until an upgrade can be applied, restrict access to the /cgi-bin/vpnmain.cgi script to trusted authenticated users only, and carefully validate or sanitize VPN_IP parameter inputs to prevent injection of malicious scripts.
Additionally, monitor VPN configuration changes for suspicious entries and educate users about the risks of stored XSS vulnerabilities.