CVE-2026-34809
Stored XSS in Endian Firewall zonefw.cgi Allows Script Injection
Publication date: 2026-04-02
Last updated on: 2026-04-07
Assigner: VulnCheck
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| endian | firewall_community | to 3.3.25 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-34809 is a stored cross-site scripting (XSS) vulnerability in Endian Firewall versions 3.3.25 and earlier.
The vulnerability occurs because the 'remark' parameter in the /cgi-bin/zonefw.cgi endpoint does not properly neutralize input, allowing an authenticated attacker to inject arbitrary JavaScript code.
This injected code is stored and then executed when other users view the affected page, potentially compromising their security.
How can this vulnerability impact me? :
An attacker who is authenticated can inject malicious JavaScript code that will execute in the browsers of other users viewing the affected page.
This can lead to unauthorized actions performed on behalf of users, theft of sensitive information such as session tokens, or other malicious activities that compromise user security.
The vulnerability has a medium severity with a CVSS v4 base score of 5.1, indicating a moderate impact.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring for suspicious or unexpected JavaScript code injections in the "remark" parameter of requests to the /cgi-bin/zonefw.cgi endpoint. Since the vulnerability requires authentication, detection should focus on authenticated user activity targeting this endpoint.
Network or system administrators can use web server logs or intrusion detection systems to look for HTTP POST or GET requests containing script tags or JavaScript code in the "remark" parameter.
Example commands to detect potential exploitation attempts might include searching web server logs for suspicious input patterns:
- grep -i 'remark=.*<script' /var/log/httpd/access_log
- grep -i 'remark=.*javascript:' /var/log/httpd/access_log
Additionally, monitoring for unusual authenticated user activity on the /cgi-bin/zonefw.cgi endpoint can help identify attempts to exploit this stored XSS vulnerability.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include restricting access to the /cgi-bin/zonefw.cgi endpoint to trusted users only, as the vulnerability requires authentication.
Users should prioritize remediation by applying any available patches or updates from Endian Firewall that address this stored cross-site scripting vulnerability.
In the absence of a patch, administrators can implement input validation or sanitization on the "remark" parameter to prevent injection of arbitrary JavaScript code.
Monitoring real-time alerts and logs for suspicious activity related to this endpoint can also help in early detection and response.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided information does not specify how CVE-2026-34809 affects compliance with common standards and regulations such as GDPR or HIPAA.