Skip to main content

Firewall Community EUVDEUVD-2026-18274

| CVE-2026-34796 HIGH
OS Command Injection (CWE-78)
2026-04-02 disclosure@vulncheck.com GHSA-4qwj-j599-qqw3
8.7
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
8.7 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

3
EUVD ID Assigned
Apr 02, 2026 - 15:22 euvd
EUVD-2026-18274
Analysis Generated
Apr 02, 2026 - 15:22 vuln.today
CVE Published
Apr 02, 2026 - 15:16 nvd
HIGH 8.7

DescriptionCVE.org

Endian Firewall version 3.3.25 and prior allow authenticated users to execute arbitrary OS commands via the DATE parameter to /cgi-bin/logs_openvpn.cgi. The DATE parameter value is used to construct a file path that is passed to a Perl open() call, which allows command injection due to an incomplete regular expression validation.

AnalysisAI

Remote code execution in Endian Firewall versions ≤3.3.25 allows authenticated users with low privileges to execute arbitrary operating system commands through command injection in the logs_openvpn.cgi DATE parameter. The vulnerability stems from inadequate input validation in a Perl open() call, enabling attackers to break out of intended file path operations. CVSS 8.7 reflects the severe impact (complete system compromise) despite requiring authentication. EPSS and KEV data not provided; no public exploit identified at time of analysis, though the technical details disclosed suggest exploitation development is straightforward for authenticated attackers.

Technical ContextAI

This vulnerability exploits a classic Perl security anti-pattern in the open() function. When Perl's two-argument open() receives user-controlled input containing shell metacharacters (such as pipe characters), it interprets them as commands rather than literal filename characters. The Endian Firewall CGI script /cgi-bin/logs_openvpn.cgi accepts a DATE parameter intended for constructing log file paths, but applies an incomplete regular expression that fails to sanitize command injection payloads. An attacker can craft DATE values like '2024-01-01|id|' where the pipe character causes Perl to execute 'id' as a system command. This is classified as CWE-78 (OS Command Injection), a weakness arising from improper neutralization of special elements before passing data to system execution contexts. The vulnerability affects the web management interface, which typically runs with elevated privileges on firewall appliances, amplifying the impact beyond typical web application command injection.

RemediationAI

Organizations running Endian Firewall 3.3.25 or earlier must immediately check for vendor security updates addressing CVE-2026-34796. Contact Endian support through their official channels at https://help.endian.com/hc/en-us/sections/360004371358-Community to obtain patched versions or security guidance, as no vendor-released patch version is independently confirmed from available data at time of analysis. As an interim mitigation, restrict access to the Endian Firewall web administration interface to trusted IP addresses only, implement network segmentation to isolate management interfaces from broader user populations, audit existing user accounts with web interface access and remove unnecessary privileges, and enable comprehensive logging for /cgi-bin/ access to detect exploitation attempts. Review authentication logs for suspicious DATE parameter values containing shell metacharacters (pipes, semicolons, backticks). Organizations should prioritize patching given the severity and the relatively small attack surface of firewall management interfaces. For detailed vulnerability analysis, consult the VulnCheck advisory at https://www.vulncheck.com/advisories/endian-firewall-cgi-bin-logs-openvpn-cgi-date-perl-command-injection.

CVE-2021-27201 HIGH POC
8.8 Feb 15

Endian Firewall Community (aka EFW) 3.3.2 allows remote authenticated users to execute arbitrary OS commands via shell m

CVE-2026-34797 HIGH
8.7 Apr 02

Remote command execution in Endian Firewall Community Edition 3.3.25 and earlier allows authenticated users to inject ar

CVE-2026-34795 HIGH
8.7 Apr 02

Remote code execution in Endian Firewall 3.3.25 and earlier allows authenticated attackers with low-level privileges to

CVE-2026-34794 HIGH
8.7 Apr 02

Remote command execution in Endian Firewall 3.3.25 and earlier allows authenticated attackers to execute arbitrary OS co

CVE-2026-34793 HIGH
8.7 Apr 02

Remote command execution in Endian Firewall 3.3.25 and earlier allows authenticated users with low privileges to inject

CVE-2026-34792 HIGH
8.7 Apr 02

Remote command execution in Endian Firewall 3.3.25 and earlier allows authenticated users with low privileges to inject

CVE-2026-34791 HIGH
8.7 Apr 02

Remote command execution in Endian Firewall Community ≤3.3.25 allows authenticated users to inject OS commands through t

CVE-2026-34790 HIGH
7.1 Apr 02

Directory traversal in Endian Firewall 3.3.25 and earlier allows authenticated users to delete arbitrary files through t

CVE-2026-34821 MEDIUM
5.1 Apr 02

Stored cross-site scripting (XSS) in Endian Firewall 3.3.25 and prior allows authenticated attackers to inject arbitrary

CVE-2026-34823 MEDIUM
5.1 Apr 02

Stored cross-site scripting (XSS) in Endian Firewall 3.3.25 and prior allows authenticated attackers to inject arbitrary

CVE-2026-34820 MEDIUM
5.1 Apr 02

Stored cross-site scripting in Endian Firewall 3.3.25 and prior allows authenticated attackers to inject malicious JavaS

CVE-2026-34818 MEDIUM
5.1 Apr 02

Stored cross-site scripting (XSS) in Endian Firewall 3.3.25 and prior allows authenticated attackers to inject malicious

Share

EUVD-2026-18274 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy