CVE-2026-34816
Stored XSS in Endian Firewall SMTPSCAN Domain Routing Module
Publication date: 2026-04-02
Last updated on: 2026-04-06
Assigner: VulnCheck
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| endian | firewall_community | to 3.3.25 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-34816 is a stored cross-site scripting (XSS) vulnerability in Endian Firewall versions 3.3.25 and earlier.
The vulnerability occurs via the "domain" parameter in the /manage/smtpscan/domainrouting/ endpoint.
An authenticated attacker can inject arbitrary JavaScript code through this parameter, which is then stored on the server and executed when other users view the affected page.
This type of vulnerability is classified under CWE-79, which involves improper neutralization of input during web page generation.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.
How can this vulnerability impact me? :
This vulnerability allows an authenticated attacker to inject malicious JavaScript code that will execute in the browsers of other users who view the affected page.
The impact includes potential theft of user credentials, session hijacking, or performing actions on behalf of other users without their consent.
Since the attack requires authentication, it may be limited to users with some level of access, but it still poses a risk to the integrity and security of user sessions.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by checking for the presence of stored cross-site scripting (XSS) payloads injected via the "domain" parameter in the /manage/smtpscan/domainrouting/ endpoint of Endian Firewall versions 3.3.25 and earlier.
To detect exploitation attempts or presence of the vulnerability, you can monitor HTTP requests to the /manage/smtpscan/domainrouting/ endpoint for suspicious input in the "domain" parameter containing JavaScript code.
Example commands to detect such activity might include using network traffic inspection tools like tcpdump or tshark to filter HTTP POST or GET requests to the vulnerable endpoint and grep for suspicious JavaScript patterns.
- tcpdump -A -s 0 'tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)' | grep '/manage/smtpscan/domainrouting/'
- tshark -Y 'http.request.uri contains "/manage/smtpscan/domainrouting/" and http.request.method == "POST"' -T fields -e http.file_data | grep -i '<script>'
Additionally, reviewing application logs for unusual input in the domain parameter or scanning the stored data for injected scripts can help detect the vulnerability.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include restricting access to the /manage/smtpscan/domainrouting/ endpoint to trusted authenticated users only, as the vulnerability requires authentication.
Sanitize and validate all input to the "domain" parameter to prevent injection of arbitrary JavaScript code.
Apply any available patches or updates from Endian Firewall that address this vulnerability.
If patching is not immediately possible, consider disabling or restricting the affected functionality to prevent exploitation.
Monitor logs and network traffic for signs of exploitation attempts and remove any stored malicious scripts found in the system.