Skip to main content

Firewall Community EUVDEUVD-2026-18268

| CVE-2026-34793 HIGH
OS Command Injection (CWE-78)
2026-04-02 disclosure@vulncheck.com
8.7
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
8.7 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

3
EUVD ID Assigned
Apr 02, 2026 - 15:22 euvd
EUVD-2026-18268
Analysis Generated
Apr 02, 2026 - 15:22 vuln.today
CVE Published
Apr 02, 2026 - 15:16 nvd
HIGH 8.7

DescriptionCVE.org

Endian Firewall version 3.3.25 and prior allow authenticated users to execute arbitrary OS commands via the DATE parameter to /cgi-bin/logs_firewall.cgi. The DATE parameter value is used to construct a file path that is passed to a Perl open() call, which allows command injection due to an incomplete regular expression validation.

AnalysisAI

Remote command execution in Endian Firewall 3.3.25 and earlier allows authenticated users with low privileges to inject arbitrary OS commands through the DATE parameter in /cgi-bin/logs_firewall.cgi. The vulnerability stems from inadequate regular expression validation that fails to prevent command injection in Perl open() calls. Authentication is required (PR:L), but once accessed, attackers gain high-impact control over confidentiality, integrity, and availability. No public exploit identified at time of analysis, though the technical details disclosed by VulnCheck provide sufficient information for weaponization. EPSS data not available for this recent CVE.

Technical ContextAI

This vulnerability affects Endian Firewall Community Edition version 3.3.25 and all prior versions, a Linux-based unified threat management (UTM) appliance. The flaw is classified as CWE-78 (OS Command Injection) and resides in the logs_firewall.cgi CGI script written in Perl. The vulnerable code accepts user-supplied input via the DATE parameter and uses it to construct file paths passed directly to Perl's open() function. Perl's open() is notoriously dangerous when handling untrusted input because it interprets pipe characters and other shell metacharacters, enabling command execution. The developers attempted input validation using a regular expression, but the pattern was incomplete or bypassable, failing to sanitize malicious payloads. This represents a classic server-side injection vulnerability where backend code insufficiently validates data before using it in system-level operations. The network-accessible attack vector (AV:N) combined with low attack complexity (AC:L) makes this straightforward to exploit once an attacker obtains valid credentials.

RemediationAI

Organizations running Endian Firewall Community Edition 3.3.25 or earlier should immediately check for available security updates through the Endian help center at https://help.endian.com/hc/en-us/sections/360004371358-Community and apply any patched versions addressing CVE-2026-34793. Upstream fix availability from the vendor has not been independently confirmed from available data at time of analysis. As interim mitigation measures while awaiting patches, administrators should implement strict access controls limiting who can authenticate to the firewall management interface, enforce strong password policies, and monitor access logs for suspicious DATE parameter values in requests to logs_firewall.cgi. Network segmentation should isolate the Endian management interface from untrusted networks, restricting access only to dedicated administrative VLANs or VPN connections. Consider disabling the vulnerable CGI script if firewall log viewing through the web interface is not operationally critical, though this may impact management workflows. Detailed technical analysis is available in the VulnCheck advisory at https://www.vulncheck.com/advisories/endian-firewall-cgi-bin-logs-firewall-cgi-date-perl-command-injection for security teams evaluating compensating controls.

CVE-2021-27201 HIGH POC
8.8 Feb 15

Endian Firewall Community (aka EFW) 3.3.2 allows remote authenticated users to execute arbitrary OS commands via shell m

CVE-2026-34797 HIGH
8.7 Apr 02

Remote command execution in Endian Firewall Community Edition 3.3.25 and earlier allows authenticated users to inject ar

CVE-2026-34796 HIGH
8.7 Apr 02

Remote code execution in Endian Firewall versions ≤3.3.25 allows authenticated users with low privileges to execute arbi

CVE-2026-34795 HIGH
8.7 Apr 02

Remote code execution in Endian Firewall 3.3.25 and earlier allows authenticated attackers with low-level privileges to

CVE-2026-34794 HIGH
8.7 Apr 02

Remote command execution in Endian Firewall 3.3.25 and earlier allows authenticated attackers to execute arbitrary OS co

CVE-2026-34792 HIGH
8.7 Apr 02

Remote command execution in Endian Firewall 3.3.25 and earlier allows authenticated users with low privileges to inject

CVE-2026-34791 HIGH
8.7 Apr 02

Remote command execution in Endian Firewall Community ≤3.3.25 allows authenticated users to inject OS commands through t

CVE-2026-34790 HIGH
7.1 Apr 02

Directory traversal in Endian Firewall 3.3.25 and earlier allows authenticated users to delete arbitrary files through t

CVE-2026-34821 MEDIUM
5.1 Apr 02

Stored cross-site scripting (XSS) in Endian Firewall 3.3.25 and prior allows authenticated attackers to inject arbitrary

CVE-2026-34823 MEDIUM
5.1 Apr 02

Stored cross-site scripting (XSS) in Endian Firewall 3.3.25 and prior allows authenticated attackers to inject arbitrary

CVE-2026-34820 MEDIUM
5.1 Apr 02

Stored cross-site scripting in Endian Firewall 3.3.25 and prior allows authenticated attackers to inject malicious JavaS

CVE-2026-34818 MEDIUM
5.1 Apr 02

Stored cross-site scripting (XSS) in Endian Firewall 3.3.25 and prior allows authenticated attackers to inject malicious

Share

EUVD-2026-18268 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy