Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
3DescriptionCVE.org
Endian Firewall version 3.3.25 and prior allow stored cross-site scripting (XSS) via the remark parameter to /cgi-bin/incoming.cgi. An authenticated attacker can inject arbitrary JavaScript that is stored and executed when other users view the affected page.
AnalysisAI
Stored cross-site scripting (XSS) in Endian Firewall 3.3.25 and earlier allows authenticated attackers to inject arbitrary JavaScript through the remark parameter in /cgi-bin/incoming.cgi, which is then executed when other users access the affected page. The vulnerability requires user interaction (UI:P) and authenticated access (PR:L), resulting in a CVSS 5.1 score with limited scope impact; no public exploit code or active exploitation has been confirmed.
Technical ContextAI
This is a stored (persistent) cross-site scripting vulnerability classified under CWE-79 (Improper Neutralization of Input During Web Page Generation). The vulnerability exists in Endian Firewall's CGI script /cgi-bin/incoming.cgi, which fails to properly sanitize or escape user-supplied input from the remark parameter before storing it in a backend data store. When other authenticated users later view pages that render this stored remark, the injected JavaScript executes in their browser context with the privileges of the logged-in user. The attack relies on insufficient input validation and output encoding mechanisms in the web application layer.
RemediationAI
Upgrade Endian Firewall to a patched version released after 3.3.25. Consult the Endian Firewall Community support portal and VulnCheck advisory for specific available patch versions and release dates. As an interim mitigation, restrict administrative access to the Endian Firewall management interface through network segmentation, limit authenticated user accounts to trusted personnel only, and implement web application firewall (WAF) rules to block JavaScript injection patterns in the remark parameter. Input validation and output encoding fixes should be applied to sanitize the remark parameter before storage and ensure HTML/JavaScript entities are properly escaped during rendering.
More in Firewall Community
View allEndian Firewall Community (aka EFW) 3.3.2 allows remote authenticated users to execute arbitrary OS commands via shell m
Remote command execution in Endian Firewall Community Edition 3.3.25 and earlier allows authenticated users to inject ar
Remote code execution in Endian Firewall versions ≤3.3.25 allows authenticated users with low privileges to execute arbi
Remote code execution in Endian Firewall 3.3.25 and earlier allows authenticated attackers with low-level privileges to
Remote command execution in Endian Firewall 3.3.25 and earlier allows authenticated attackers to execute arbitrary OS co
Remote command execution in Endian Firewall 3.3.25 and earlier allows authenticated users with low privileges to inject
Remote command execution in Endian Firewall 3.3.25 and earlier allows authenticated users with low privileges to inject
Remote command execution in Endian Firewall Community ≤3.3.25 allows authenticated users to inject OS commands through t
Directory traversal in Endian Firewall 3.3.25 and earlier allows authenticated users to delete arbitrary files through t
Stored cross-site scripting (XSS) in Endian Firewall 3.3.25 and prior allows authenticated attackers to inject arbitrary
Stored cross-site scripting (XSS) in Endian Firewall 3.3.25 and prior allows authenticated attackers to inject arbitrary
Stored cross-site scripting in Endian Firewall 3.3.25 and prior allows authenticated attackers to inject malicious JavaS
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-18296
GHSA-259x-xg45-mf97