CVE-2026-34802
Stored XSS in Endian Firewall salearn.cgi Allows Script Injection
Publication date: 2026-04-02
Last updated on: 2026-04-07
Assigner: VulnCheck
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| endian | firewall_community | to 3.3.25 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-34802 is a stored cross-site scripting (XSS) vulnerability in Endian Firewall versions 3.3.25 and earlier. It occurs in the /cgi-bin/salearn.cgi script via the "remark user ham spam" parameter.
An authenticated attacker can inject arbitrary JavaScript code through this parameter. The injected code is stored on the server and executed when other users view the affected page.
This vulnerability is classified under CWE-79, which relates to improper neutralization of input during web page generation.
How can this vulnerability impact me? :
The vulnerability allows an authenticated attacker to inject and store malicious JavaScript code that executes in the browsers of other users viewing the affected page.
This can lead to limited impacts on the confidentiality and integrity of the system, such as theft of session information or manipulation of displayed content.
The attack requires low complexity, some privileges, and user interaction, making it a moderate risk.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring and inspecting HTTP requests to the /cgi-bin/salearn.cgi endpoint, specifically looking for the presence of suspicious or arbitrary JavaScript code injected via the "remark user ham spam" parameter.
Since the vulnerability requires authentication, detection involves verifying if authenticated users have submitted inputs containing JavaScript payloads in this parameter.
Commands or methods to detect this may include using web application scanners or manual inspection with tools like curl or wget to send crafted requests and observe the responses.
- Example curl command to test injection: curl -u user:password -d "remark_user_ham_spam=<script>alert(1)</script>" https://target/cgi-bin/salearn.cgi
- Use web proxy tools (e.g., Burp Suite) to intercept and modify requests to the vulnerable parameter and check if the injected script is stored and reflected.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include restricting access to the /cgi-bin/salearn.cgi endpoint to trusted users only and applying input validation or sanitization on the "remark user ham spam" parameter to prevent JavaScript injection.
Additionally, updating Endian Firewall to a version later than 3.3.25, where this vulnerability is fixed, is recommended.
If an update is not immediately possible, consider implementing web application firewall (WAF) rules to block or sanitize malicious payloads targeting this parameter.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.