CVE-2026-34807
Stored XSS in Endian Firewall Incoming.cgi Allows Script Injection
Publication date: 2026-04-02
Last updated on: 2026-04-07
Assigner: VulnCheck
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| endian | firewall_community | to 3.3.25 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided information does not specify how CVE-2026-34807 affects compliance with common standards and regulations such as GDPR or HIPAA.
Can you explain this vulnerability to me?
CVE-2026-34807 is a stored cross-site scripting (XSS) vulnerability in Endian Firewall version 3.3.25 and earlier. It occurs because the application does not properly neutralize input in the "remark" parameter of the /cgi-bin/incoming.cgi endpoint.
An authenticated attacker can inject arbitrary JavaScript code via this parameter, which is then stored on the server and executed when other users view the affected page.
How can this vulnerability impact me? :
This vulnerability allows an authenticated attacker to inject and store malicious JavaScript code that executes in the browsers of other users who view the affected page.
The impact includes potential user session hijacking, unauthorized actions performed on behalf of users, or other malicious activities executed in the context of the affected application.
However, the CVSS v4.0 score indicates no direct impact on confidentiality, integrity, or availability, and the attack requires low privileges and user interaction.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring and inspecting requests to the /cgi-bin/incoming.cgi endpoint, specifically looking for the presence of the "remark" parameter containing suspicious or arbitrary JavaScript code.
Since the vulnerability requires authentication, detection involves checking authenticated user inputs to the "remark" parameter for potential stored cross-site scripting payloads.
Commands to detect this may include using web server logs or network traffic inspection tools to search for requests containing the "remark" parameter with script tags or JavaScript code.
- Using grep on web server logs: grep -i 'remark=.*<script' /var/log/httpd/access_log
- Using curl to test injection (requires authentication): curl -u user:password -d 'remark=<script>alert(1)</script>' https://target/cgi-bin/incoming.cgi -v
- Using a web proxy or scanner to detect stored XSS payloads in the remark parameter.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include restricting access to the /cgi-bin/incoming.cgi endpoint to trusted users only, as the vulnerability requires authentication.
Additionally, input validation and sanitization should be applied to the "remark" parameter to neutralize any injected JavaScript code.
If possible, upgrade Endian Firewall to a version later than 3.3.25 where this vulnerability is fixed.
As a temporary workaround, monitor and remove any suspicious stored remarks containing script code.