Skip to main content

Firewall Community CVE-2026-34804

| EUVDEUVD-2026-18290 MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2026-04-02 disclosure@vulncheck.com GHSA-8vwx-grx5-9rv6
5.1
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
5.1 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
P
Scope
X

Lifecycle Timeline

3
EUVD ID Assigned
Apr 02, 2026 - 15:22 euvd
EUVD-2026-18290
Analysis Generated
Apr 02, 2026 - 15:22 vuln.today
CVE Published
Apr 02, 2026 - 15:16 nvd
MEDIUM 5.1

DescriptionCVE.org

Endian Firewall version 3.3.25 and prior allow stored cross-site scripting (XSS) via the dscp parameter to /manage/qos/rules/. An authenticated attacker can inject arbitrary JavaScript that is stored and executed when other users view the affected page.

AnalysisAI

Stored cross-site scripting in Endian Firewall 3.3.25 and prior allows authenticated attackers to inject arbitrary JavaScript via the dscp parameter in the QoS rules management interface (/manage/qos/rules/). When other authenticated users view the affected configuration page, the injected script executes in their browser context, enabling session hijacking, credential theft, or lateral movement within the firewall management console. EPSS risk is elevated at moderate severity (CVSS 5.1), and no public exploit code or active exploitation has been confirmed.

Technical ContextAI

This is a stored (persistent) cross-site scripting vulnerability rooted in inadequate input validation and output encoding of the dscp parameter within Endian Firewall's QoS rules management module (CWE-79: Improper Neutralization of Input During Web Page Generation). The vulnerability exists in a web-based management interface that processes Quality of Service configuration settings. The attack vector is network-based with low complexity, requiring only low-privilege authentication (authenticated admin or management user). The stored nature of the XSS means the malicious payload persists in the firewall's configuration database and is reflected to any subsequent user accessing the QoS rules page, creating a multi-user attack surface within the management console.

RemediationAI

Upgrade Endian Firewall to a patched version released after 3.3.25; vendors typically issue incremental releases (e.g., 3.3.26 or later) to address web UI input validation issues. Consult the Endian Help Center and VulnCheck advisory for confirmed patched version availability and release timing. As an interim mitigation, restrict administrative console access to trusted networks via IP whitelisting or firewall rules, limit QoS rule configuration privileges to essential personnel, and conduct audit of existing QoS rule configurations to identify any injected JavaScript in dscp parameters. Apply input validation patches immediately upon vendor release, as stored XSS in administrative interfaces can facilitate privilege escalation and persistent access.

CVE-2021-27201 HIGH POC
8.8 Feb 15

Endian Firewall Community (aka EFW) 3.3.2 allows remote authenticated users to execute arbitrary OS commands via shell m

CVE-2026-34797 HIGH
8.7 Apr 02

Remote command execution in Endian Firewall Community Edition 3.3.25 and earlier allows authenticated users to inject ar

CVE-2026-34796 HIGH
8.7 Apr 02

Remote code execution in Endian Firewall versions ≤3.3.25 allows authenticated users with low privileges to execute arbi

CVE-2026-34795 HIGH
8.7 Apr 02

Remote code execution in Endian Firewall 3.3.25 and earlier allows authenticated attackers with low-level privileges to

CVE-2026-34794 HIGH
8.7 Apr 02

Remote command execution in Endian Firewall 3.3.25 and earlier allows authenticated attackers to execute arbitrary OS co

CVE-2026-34793 HIGH
8.7 Apr 02

Remote command execution in Endian Firewall 3.3.25 and earlier allows authenticated users with low privileges to inject

CVE-2026-34792 HIGH
8.7 Apr 02

Remote command execution in Endian Firewall 3.3.25 and earlier allows authenticated users with low privileges to inject

CVE-2026-34791 HIGH
8.7 Apr 02

Remote command execution in Endian Firewall Community ≤3.3.25 allows authenticated users to inject OS commands through t

CVE-2026-34790 HIGH
7.1 Apr 02

Directory traversal in Endian Firewall 3.3.25 and earlier allows authenticated users to delete arbitrary files through t

CVE-2026-34821 MEDIUM
5.1 Apr 02

Stored cross-site scripting (XSS) in Endian Firewall 3.3.25 and prior allows authenticated attackers to inject arbitrary

CVE-2026-34823 MEDIUM
5.1 Apr 02

Stored cross-site scripting (XSS) in Endian Firewall 3.3.25 and prior allows authenticated attackers to inject arbitrary

CVE-2026-34820 MEDIUM
5.1 Apr 02

Stored cross-site scripting in Endian Firewall 3.3.25 and prior allows authenticated attackers to inject malicious JavaS

Share

CVE-2026-34804 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy