Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
3DescriptionCVE.org
Endian Firewall version 3.3.25 and prior allow stored cross-site scripting (XSS) via the remark parameter to /cgi-bin/xtaccess.cgi. An authenticated attacker can inject arbitrary JavaScript that is stored and executed when other users view the affected page.
AnalysisAI
Stored cross-site scripting (XSS) in Endian Firewall 3.3.25 and prior allows authenticated attackers to inject arbitrary JavaScript via the remark parameter in /cgi-bin/xtaccess.cgi, which is executed when other users view the affected page. The vulnerability requires valid user credentials and user interaction but can compromise session tokens and sensitive data of administrators and other firewall users. No public exploit code or active exploitation has been confirmed at this time.
Technical ContextAI
The vulnerability is a classic stored (persistent) XSS flaw rooted in improper input validation and output encoding of the remark parameter in the xtaccess.cgi script (CWE-79: Improper Neutralization of Input During Web Page Generation). The xtaccess.cgi endpoint is part of Endian Firewall's web administration interface, which accepts user-supplied input via the remark field without adequate sanitization. When this unsanitized data is stored in a database or configuration file and subsequently rendered in HTML responses to other authenticated users, the injected JavaScript executes in their browsers with the privileges of the authenticated session. The attack vector is network-based, targeting the HTTP/HTTPS management interface on the firewall appliance.
RemediationAI
Upgrade Endian Firewall to a version after 3.3.25; vendors typically release patches incrementally, and the community help portal (https://help.endian.com/hc/en-us/sections/360004371358-Community) should be consulted for the specific patched version number. In the interim, restrict access to the firewall's web management interface (/cgi-bin/xtaccess.cgi) to trusted IP addresses or VPNs using firewall rules or authentication gateways. Audit existing remark fields in the firewall configuration for any suspicious or encoded JavaScript content and sanitize or remove them. Consider implementing a Web Application Firewall (WAF) rule to block requests containing common XSS payloads (e.g., script tags, event handlers) sent to the xtaccess.cgi endpoint. Regularly rotate administrative credentials and review access logs for suspicious activity. Additional information is available via the VulnCheck advisory at https://www.vulncheck.com/advisories/endian-firewall-cgi-bin-xtaccess-cgi-remark-stored-cross-site-scripting.
More in Firewall Community
View allEndian Firewall Community (aka EFW) 3.3.2 allows remote authenticated users to execute arbitrary OS commands via shell m
Remote command execution in Endian Firewall Community Edition 3.3.25 and earlier allows authenticated users to inject ar
Remote code execution in Endian Firewall versions ≤3.3.25 allows authenticated users with low privileges to execute arbi
Remote code execution in Endian Firewall 3.3.25 and earlier allows authenticated attackers with low-level privileges to
Remote command execution in Endian Firewall 3.3.25 and earlier allows authenticated attackers to execute arbitrary OS co
Remote command execution in Endian Firewall 3.3.25 and earlier allows authenticated users with low privileges to inject
Remote command execution in Endian Firewall 3.3.25 and earlier allows authenticated users with low privileges to inject
Remote command execution in Endian Firewall Community ≤3.3.25 allows authenticated users to inject OS commands through t
Directory traversal in Endian Firewall 3.3.25 and earlier allows authenticated users to delete arbitrary files through t
Stored cross-site scripting (XSS) in Endian Firewall 3.3.25 and prior allows authenticated attackers to inject arbitrary
Stored cross-site scripting (XSS) in Endian Firewall 3.3.25 and prior allows authenticated attackers to inject arbitrary
Stored cross-site scripting in Endian Firewall 3.3.25 and prior allows authenticated attackers to inject malicious JavaS
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-18304
GHSA-jh32-cjg2-jpqq