Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
3DescriptionCVE.org
Endian Firewall version 3.3.25 and prior allow stored cross-site scripting (XSS) via the remark user ham spam parameter to /cgi-bin/salearn.cgi. An authenticated attacker can inject arbitrary JavaScript that is stored and executed when other users view the affected page.
AnalysisAI
Stored cross-site scripting (XSS) in Endian Firewall version 3.3.25 and prior allows authenticated attackers to inject arbitrary JavaScript via the remark user ham spam parameter in /cgi-bin/salearn.cgi. The injected payload is stored and executed in the browsers of other users who view the affected page, enabling session hijacking, credential theft, or malware distribution. No public exploit code or active exploitation has been confirmed; real-world risk is limited by the authentication requirement and user interaction dependency.
Technical ContextAI
This vulnerability stems from improper input sanitization and output encoding in a Common Gateway Interface (CGI) script responsible for spam learning functionality. The remark parameter fails to neutralize HTML/JavaScript metacharacters before storing user input in a backend database and rendering it in subsequent HTTP responses. This is a classic Stored XSS vulnerability (CWE-79), where malicious input persists across sessions and affects all users with access to the affected resource. The vulnerability affects Endian Firewall, a network security appliance running on Linux, where /cgi-bin/salearn.cgi handles spam/ham email classification via the web administration interface.
RemediationAI
Upgrade Endian Firewall to a version newer than 3.3.25 (exact fix version not specified in available data; consult vendor advisory for patched release). In the interim, restrict administrative access to /cgi-bin/salearn.cgi to trusted internal networks only, implement network-level access controls (e.g., IP whitelisting), and review access logs for suspicious activity. Additionally, instruct administrators to avoid clicking untrusted links or viewing potentially malicious remarks within the spam learning interface. Refer to https://www.vulncheck.com/advisories/endian-firewall-cgi-bin-salearn-cgi-remark-user-ham-spam-stored-cross-site-scripting for official remediation guidance.
More in Firewall Community
View allEndian Firewall Community (aka EFW) 3.3.2 allows remote authenticated users to execute arbitrary OS commands via shell m
Remote command execution in Endian Firewall Community Edition 3.3.25 and earlier allows authenticated users to inject ar
Remote code execution in Endian Firewall versions ≤3.3.25 allows authenticated users with low privileges to execute arbi
Remote code execution in Endian Firewall 3.3.25 and earlier allows authenticated attackers with low-level privileges to
Remote command execution in Endian Firewall 3.3.25 and earlier allows authenticated attackers to execute arbitrary OS co
Remote command execution in Endian Firewall 3.3.25 and earlier allows authenticated users with low privileges to inject
Remote command execution in Endian Firewall 3.3.25 and earlier allows authenticated users with low privileges to inject
Remote command execution in Endian Firewall Community ≤3.3.25 allows authenticated users to inject OS commands through t
Directory traversal in Endian Firewall 3.3.25 and earlier allows authenticated users to delete arbitrary files through t
Stored cross-site scripting (XSS) in Endian Firewall 3.3.25 and prior allows authenticated attackers to inject arbitrary
Stored cross-site scripting (XSS) in Endian Firewall 3.3.25 and prior allows authenticated attackers to inject arbitrary
Stored cross-site scripting in Endian Firewall 3.3.25 and prior allows authenticated attackers to inject malicious JavaS
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-18286