Skip to main content

Firewall Community CVE-2026-34790

| EUVDEUVD-2026-18262 HIGH
Path Traversal (CWE-22)
2026-04-02 disclosure@vulncheck.com
7.1
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
7.1 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

3
EUVD ID Assigned
Apr 02, 2026 - 15:22 euvd
EUVD-2026-18262
Analysis Generated
Apr 02, 2026 - 15:22 vuln.today
CVE Published
Apr 02, 2026 - 15:16 nvd
HIGH 7.1

DescriptionCVE.org

Endian Firewall version 3.3.25 and prior allow authenticated users to delete arbitrary files via directory traversal in the remove ARCHIVE parameter to /cgi-bin/backup.cgi. The remove ARCHIVE parameter value is used to construct a file path without sanitization of directory traversal sequences, which is then passed to an unlink() call.

AnalysisAI

Directory traversal in Endian Firewall 3.3.25 and earlier allows authenticated users to delete arbitrary files through the /cgi-bin/backup.cgi remove ARCHIVE parameter. Attackers with low-privileged network access can leverage unsanitized path construction passed to unlink() to achieve high-integrity impact by removing critical system files. EPSS data not available; no public exploit identified at time of analysis, though the technical details disclosed by VulnCheck increase weaponization risk for authenticated threat actors.

Technical ContextAI

Endian Firewall's backup.cgi CGI script accepts a remove ARCHIVE parameter intended for deleting backup files. The vulnerability stems from CWE-22 (Path Traversal) where user-supplied input containing directory traversal sequences (../) is not validated or sanitized before being concatenated into a file path string. This unsanitized path is then passed directly to the unlink() system call, which removes files from the filesystem. An attacker can inject traversal sequences like ../../etc/shadow or ../../../../opt/endian/critical-config to escape the intended backup directory and delete arbitrary files accessible to the web server process. The CVSS:4.0 vector indicates network-based attack (AV:N), low complexity (AC:L), requiring low privileges (PR:L) but no user interaction (UI:N), resulting in high integrity impact (VI:H) and low availability impact (VA:L) to the vulnerable system.

RemediationAI

Upgrade to Endian Firewall Community Edition version 3.3.26 or later if available, consulting the official Endian Help Center at https://help.endian.com/hc/en-us/sections/360004371358-Community for release announcements and upgrade procedures. If immediate patching is not feasible, implement compensating controls including strict authentication and authorization enforcement for the /cgi-bin/backup.cgi interface, restricting access to highly trusted administrative accounts only. Deploy web application firewall (WAF) rules or input validation filters to detect and block directory traversal sequences (../, ..\, URL-encoded variants) in the remove ARCHIVE parameter. Review firewall access logs for suspicious backup.cgi requests containing traversal patterns and investigate any anomalous file deletion activity. Implement file integrity monitoring on critical system files to detect unauthorized deletion attempts. Consider network segmentation to limit access to the management interface from trusted administrative networks only. Full technical disclosure is available in the VulnCheck advisory at https://www.vulncheck.com/advisories/endian-firewall-cgi-bin-backup-cgi-remove-archive-directory-traversal for security teams developing detection signatures.

CVE-2021-27201 HIGH POC
8.8 Feb 15

Endian Firewall Community (aka EFW) 3.3.2 allows remote authenticated users to execute arbitrary OS commands via shell m

CVE-2026-34797 HIGH
8.7 Apr 02

Remote command execution in Endian Firewall Community Edition 3.3.25 and earlier allows authenticated users to inject ar

CVE-2026-34796 HIGH
8.7 Apr 02

Remote code execution in Endian Firewall versions ≤3.3.25 allows authenticated users with low privileges to execute arbi

CVE-2026-34795 HIGH
8.7 Apr 02

Remote code execution in Endian Firewall 3.3.25 and earlier allows authenticated attackers with low-level privileges to

CVE-2026-34794 HIGH
8.7 Apr 02

Remote command execution in Endian Firewall 3.3.25 and earlier allows authenticated attackers to execute arbitrary OS co

CVE-2026-34793 HIGH
8.7 Apr 02

Remote command execution in Endian Firewall 3.3.25 and earlier allows authenticated users with low privileges to inject

CVE-2026-34792 HIGH
8.7 Apr 02

Remote command execution in Endian Firewall 3.3.25 and earlier allows authenticated users with low privileges to inject

CVE-2026-34791 HIGH
8.7 Apr 02

Remote command execution in Endian Firewall Community ≤3.3.25 allows authenticated users to inject OS commands through t

CVE-2026-34821 MEDIUM
5.1 Apr 02

Stored cross-site scripting (XSS) in Endian Firewall 3.3.25 and prior allows authenticated attackers to inject arbitrary

CVE-2026-34823 MEDIUM
5.1 Apr 02

Stored cross-site scripting (XSS) in Endian Firewall 3.3.25 and prior allows authenticated attackers to inject arbitrary

CVE-2026-34820 MEDIUM
5.1 Apr 02

Stored cross-site scripting in Endian Firewall 3.3.25 and prior allows authenticated attackers to inject malicious JavaS

CVE-2026-34818 MEDIUM
5.1 Apr 02

Stored cross-site scripting (XSS) in Endian Firewall 3.3.25 and prior allows authenticated attackers to inject malicious

Share

CVE-2026-34790 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy