Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
3DescriptionCVE.org
Endian Firewall version 3.3.25 and prior allow stored cross-site scripting (XSS) via the remark parameter to /manage/vpnauthentication/user/. An authenticated attacker can inject arbitrary JavaScript that is stored and executed when other users view the affected page.
AnalysisAI
Stored cross-site scripting (XSS) in Endian Firewall 3.3.25 and prior allows authenticated attackers to inject arbitrary JavaScript via the remark parameter in the VPN authentication user management interface (/manage/vpnauthentication/user/). The injected payload persists in the database and executes when other authenticated users access the affected page, enabling session hijacking, credential theft, or lateral privilege escalation within the firewall management console.
Technical ContextAI
The vulnerability stems from improper input validation and output encoding of user-supplied data in the VPN authentication user management module (CWE-79: Improper Neutralization of Input During Web Page Generation). The remark parameter accepts and stores arbitrary input without sanitization, and the application fails to encode this data when rendering it in HTML context on subsequent page loads. This is a stored (persistent) XSS variant, meaning the malicious payload is retained in the backend database and executed server-side for all users who view the page, rather than requiring the attacker to trick a victim into clicking a crafted link. Affected product: Endian Firewall versions 3.3.25 and prior (exact CPE notation not provided in input data).
RemediationAI
Upgrade Endian Firewall to a patched version later than 3.3.25 (specific patched version number not provided in input data; consult vendor advisory at https://help.endian.com/hc/en-us/sections/360004371358-Community for the recommended fixed release). In the interim, restrict access to the /manage/vpnauthentication/user/ management interface via network firewall rules or role-based access controls, limiting it to trusted administrative staff only. Additionally, audit existing VPN user records for suspicious or malicious content in the remark field and sanitize or remove any suspicious entries. Implement web application firewall (WAF) rules to filter XSS payloads in the remark parameter if version upgrade is delayed.
More in Firewall Community
View allEndian Firewall Community (aka EFW) 3.3.2 allows remote authenticated users to execute arbitrary OS commands via shell m
Remote command execution in Endian Firewall Community Edition 3.3.25 and earlier allows authenticated users to inject ar
Remote code execution in Endian Firewall versions ≤3.3.25 allows authenticated users with low privileges to execute arbi
Remote code execution in Endian Firewall 3.3.25 and earlier allows authenticated attackers with low-level privileges to
Remote command execution in Endian Firewall 3.3.25 and earlier allows authenticated attackers to execute arbitrary OS co
Remote command execution in Endian Firewall 3.3.25 and earlier allows authenticated users with low privileges to inject
Remote command execution in Endian Firewall 3.3.25 and earlier allows authenticated users with low privileges to inject
Remote command execution in Endian Firewall Community ≤3.3.25 allows authenticated users to inject OS commands through t
Directory traversal in Endian Firewall 3.3.25 and earlier allows authenticated users to delete arbitrary files through t
Stored cross-site scripting (XSS) in Endian Firewall 3.3.25 and prior allows authenticated attackers to inject arbitrary
Stored cross-site scripting in Endian Firewall 3.3.25 and prior allows authenticated attackers to inject malicious JavaS
Stored cross-site scripting (XSS) in Endian Firewall 3.3.25 and prior allows authenticated attackers to inject malicious
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-18324
GHSA-qxfx-cg86-j76f