Medium severity5.4NVD Advisory· Published Mar 30, 2026· Updated Apr 14, 2026
CVE-2026-26352
CVE-2026-26352
Description
Smoothwall Express versions prior to 3.1 Update 13 contain a stored cross-site scripting vulnerability in the /cgi-bin/vpnmain.cgi script due to improper sanitation of the VPN_IP parameter. Authenticated attackers can inject arbitrary JavaScript through VPN configuration settings that executes when the affected page is viewed by other users.
Affected products
13cpe:2.3:o:smoothwall:smoothwall_express:*:*:*:*:*:*:*:*+ 12 more
- cpe:2.3:o:smoothwall:smoothwall_express:*:*:*:*:*:*:*:*range: <=3.0
- cpe:2.3:o:smoothwall:smoothwall_express:3.1:update1:*:*:-:*:*:*
- cpe:2.3:o:smoothwall:smoothwall_express:3.1:update10:*:*:-:*:*:*
- cpe:2.3:o:smoothwall:smoothwall_express:3.1:update11:*:*:-:*:*:*
- cpe:2.3:o:smoothwall:smoothwall_express:3.1:update12:*:*:-:*:*:*
- cpe:2.3:o:smoothwall:smoothwall_express:3.1:update2:*:*:-:*:*:*
- cpe:2.3:o:smoothwall:smoothwall_express:3.1:update3:*:*:-:*:*:*
- cpe:2.3:o:smoothwall:smoothwall_express:3.1:update4:*:*:-:*:*:*
- cpe:2.3:o:smoothwall:smoothwall_express:3.1:update5:*:*:-:*:*:*
- cpe:2.3:o:smoothwall:smoothwall_express:3.1:update6:*:*:-:*:*:*
- cpe:2.3:o:smoothwall:smoothwall_express:3.1:update7:*:*:-:*:*:*
- cpe:2.3:o:smoothwall:smoothwall_express:3.1:update8:*:*:-:*:*:*
- cpe:2.3:o:smoothwall:smoothwall_express:3.1:update9:*:*:-:*:*:*
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
2- www.vulncheck.com/advisories/smoothwall-express-stored-xss-in-vpnmain-cgi-via-vpn-ip-parameternvdThird Party Advisory
- community.smoothwall.org/forum/viewtopic.phpnvdRelease NotesProduct
News mentions
0No linked articles in our index yet.