Skip to main content

Firewall Community CVE-2026-34795

| EUVDEUVD-2026-18272 HIGH
OS Command Injection (CWE-78)
2026-04-02 disclosure@vulncheck.com GHSA-89fh-vj32-9xrm
8.7
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
8.7 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

3
EUVD ID Assigned
Apr 02, 2026 - 15:22 euvd
EUVD-2026-18272
Analysis Generated
Apr 02, 2026 - 15:22 vuln.today
CVE Published
Apr 02, 2026 - 15:16 nvd
HIGH 8.7

DescriptionCVE.org

Endian Firewall version 3.3.25 and prior allow authenticated users to execute arbitrary OS commands via the DATE parameter to /cgi-bin/logs_log.cgi. The DATE parameter value is used to construct a file path that is passed to a Perl open() call, which allows command injection due to an incomplete regular expression validation.

AnalysisAI

Remote code execution in Endian Firewall 3.3.25 and earlier allows authenticated attackers with low-level privileges to execute arbitrary OS commands via command injection in the DATE parameter of /cgi-bin/logs_log.cgi. The vulnerability stems from incomplete regular expression validation in Perl open() file path handling. No public exploit identified at time of analysis, though CVSS 8.7 severity reflects high potential impact across confidentiality, integrity, and availability. EPSS data not provided; exploitation requires network access with low-privilege authentication but no user interaction.

Technical ContextAI

This vulnerability exploits unsafe handling of user-controlled input in Perl's open() function within Endian Firewall's CGI-based web management interface. The logs_log.cgi script accepts a DATE parameter intended for constructing file paths to access log files. However, the regular expression validation is insufficiently restrictive, allowing metacharacters to be injected. In Perl, the two-argument form of open() interprets pipe characters and shell metacharacters as commands rather than literal filename components. This CWE-78 OS Command Injection vulnerability occurs when the application fails to properly neutralize special elements before incorporating user input into system command execution paths. The affected component is part of Endian Firewall's logging interface, which runs with elevated privileges necessary for system log access, amplifying the impact of successful exploitation.

RemediationAI

Organizations running affected Endian Firewall versions should immediately apply vendor-released patches when available by monitoring the official Endian Community support portal at https://help.endian.com/hc/en-us/sections/360004371358-Community for security updates addressing CVE-2026-34795. Upstream fix availability not independently confirmed from available data; consult vendor advisories for patched version numbers. As interim mitigations until patching, restrict network access to the web management interface using firewall rules to allow only trusted administrator IP addresses, disable remote management access if not operationally required, enforce strong authentication policies including multi-factor authentication for administrative accounts, and implement network segmentation to limit the impact of potential compromise. Review all user accounts with access to the web interface and remove or demote unnecessary privileges following least-privilege principles. Monitor system logs for suspicious command execution patterns or unexpected access to /cgi-bin/logs_log.cgi with unusual DATE parameter values. Consider deploying web application firewall rules to block requests containing shell metacharacters in the DATE parameter as a temporary control, though this should not replace patching.

CVE-2021-27201 HIGH POC
8.8 Feb 15

Endian Firewall Community (aka EFW) 3.3.2 allows remote authenticated users to execute arbitrary OS commands via shell m

CVE-2026-34797 HIGH
8.7 Apr 02

Remote command execution in Endian Firewall Community Edition 3.3.25 and earlier allows authenticated users to inject ar

CVE-2026-34796 HIGH
8.7 Apr 02

Remote code execution in Endian Firewall versions ≤3.3.25 allows authenticated users with low privileges to execute arbi

CVE-2026-34794 HIGH
8.7 Apr 02

Remote command execution in Endian Firewall 3.3.25 and earlier allows authenticated attackers to execute arbitrary OS co

CVE-2026-34793 HIGH
8.7 Apr 02

Remote command execution in Endian Firewall 3.3.25 and earlier allows authenticated users with low privileges to inject

CVE-2026-34792 HIGH
8.7 Apr 02

Remote command execution in Endian Firewall 3.3.25 and earlier allows authenticated users with low privileges to inject

CVE-2026-34791 HIGH
8.7 Apr 02

Remote command execution in Endian Firewall Community ≤3.3.25 allows authenticated users to inject OS commands through t

CVE-2026-34790 HIGH
7.1 Apr 02

Directory traversal in Endian Firewall 3.3.25 and earlier allows authenticated users to delete arbitrary files through t

CVE-2026-34821 MEDIUM
5.1 Apr 02

Stored cross-site scripting (XSS) in Endian Firewall 3.3.25 and prior allows authenticated attackers to inject arbitrary

CVE-2026-34823 MEDIUM
5.1 Apr 02

Stored cross-site scripting (XSS) in Endian Firewall 3.3.25 and prior allows authenticated attackers to inject arbitrary

CVE-2026-34820 MEDIUM
5.1 Apr 02

Stored cross-site scripting in Endian Firewall 3.3.25 and prior allows authenticated attackers to inject malicious JavaS

CVE-2026-34818 MEDIUM
5.1 Apr 02

Stored cross-site scripting (XSS) in Endian Firewall 3.3.25 and prior allows authenticated attackers to inject malicious

Share

CVE-2026-34795 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy