Firewall Community

CVEs (34)

CVE	Sev	Risk	CVSS	Published	Description
CVE-2026-34811	Med	0.42	6.4	Apr 2, 2026	Endian Firewall version 3.3.25 and prior allow stored cross-site scripting (XSS) via the remark parameter to /cgi-bin/xtaccess.cgi. An authenticated attacker can inject arbitrary JavaScript that is stored and executed when other users view the affected page.
CVE-2026-34810	Med	0.42	6.4	Apr 2, 2026	Endian Firewall version 3.3.25 and prior allow stored cross-site scripting (XSS) via the remark parameter to /cgi-bin/vpnfw.cgi. An authenticated attacker can inject arbitrary JavaScript that is stored and executed when other users view the affected page.
CVE-2026-34809	Med	0.42	6.4	Apr 2, 2026	Endian Firewall version 3.3.25 and prior allow stored cross-site scripting (XSS) via the remark parameter to /cgi-bin/zonefw.cgi. An authenticated attacker can inject arbitrary JavaScript that is stored and executed when other users view the affected page.
CVE-2026-34808	Med	0.42	6.4	Apr 2, 2026	Endian Firewall version 3.3.25 and prior allow stored cross-site scripting (XSS) via the remark parameter to /cgi-bin/outgoingfw.cgi. An authenticated attacker can inject arbitrary JavaScript that is stored and executed when other users view the affected page.
CVE-2026-34807	Med	0.42	6.4	Apr 2, 2026	Endian Firewall version 3.3.25 and prior allow stored cross-site scripting (XSS) via the remark parameter to /cgi-bin/incoming.cgi. An authenticated attacker can inject arbitrary JavaScript that is stored and executed when other users view the affected page.
CVE-2026-34806	Med	0.42	6.4	Apr 2, 2026	Endian Firewall version 3.3.25 and prior allow stored cross-site scripting (XSS) via the remark parameter to /cgi-bin/snat.cgi. An authenticated attacker can inject arbitrary JavaScript that is stored and executed when other users view the affected page.
CVE-2026-34805	Med	0.42	6.4	Apr 2, 2026	Endian Firewall version 3.3.25 and prior allow stored cross-site scripting (XSS) via the remark parameter to /cgi-bin/dnat.cgi. An authenticated attacker can inject arbitrary JavaScript that is stored and executed when other users view the affected page.
CVE-2026-34804	Med	0.42	6.4	Apr 2, 2026	Endian Firewall version 3.3.25 and prior allow stored cross-site scripting (XSS) via the dscp parameter to /manage/qos/rules/. An authenticated attacker can inject arbitrary JavaScript that is stored and executed when other users view the affected page.
CVE-2026-34803	Med	0.42	6.4	Apr 2, 2026	Endian Firewall version 3.3.25 and prior allow stored cross-site scripting (XSS) via the name parameter to /manage/qos/classes/. An authenticated attacker can inject arbitrary JavaScript that is stored and executed when other users view the affected page.
CVE-2026-34802	Med	0.42	6.4	Apr 2, 2026	Endian Firewall version 3.3.25 and prior allow stored cross-site scripting (XSS) via the remark user ham spam parameter to /cgi-bin/salearn.cgi. An authenticated attacker can inject arbitrary JavaScript that is stored and executed when other users view the affected page.
CVE-2026-34801	Med	0.42	6.4	Apr 2, 2026	Endian Firewall version 3.3.25 and prior allow stored cross-site scripting (XSS) via the remark parameter to /manage/dhcp/fixed_leases/. An authenticated attacker can inject arbitrary JavaScript that is stored and executed when other users view the affected page.
CVE-2026-34800	Med	0.42	6.4	Apr 2, 2026	Endian Firewall version 3.3.25 and prior allow stored cross-site scripting (XSS) via the NAME parameter to /cgi-bin/uplinkeditor.cgi. An authenticated attacker can inject arbitrary JavaScript that is stored and executed when other users view the affected page.
CVE-2026-34799	Med	0.42	6.4	Apr 2, 2026	Endian Firewall version 3.3.25 and prior allow stored cross-site scripting (XSS) via the remark parameter to /manage/dnsmasq/hosts/. An authenticated attacker can inject arbitrary JavaScript that is stored and executed when other users view the affected page.
CVE-2026-34798	Med	0.42	6.4	Apr 2, 2026	Endian Firewall version 3.3.25 and prior allow stored cross-site scripting (XSS) via the remark parameter to /cgi-bin/routing.cgi. An authenticated attacker can inject arbitrary JavaScript that is stored and executed when other users view the affected page.

CVE-2026-34811MedApr 2, 2026
risk 0.42cvss 6.4epss 0.00
Endian Firewall version 3.3.25 and prior allow stored cross-site scripting (XSS) via the remark parameter to /cgi-bin/xtaccess.cgi. An authenticated attacker can inject arbitrary JavaScript that is stored and executed when other users view the affected page.
CVE-2026-34810MedApr 2, 2026
risk 0.42cvss 6.4epss 0.00
Endian Firewall version 3.3.25 and prior allow stored cross-site scripting (XSS) via the remark parameter to /cgi-bin/vpnfw.cgi. An authenticated attacker can inject arbitrary JavaScript that is stored and executed when other users view the affected page.
CVE-2026-34809MedApr 2, 2026
risk 0.42cvss 6.4epss 0.00
Endian Firewall version 3.3.25 and prior allow stored cross-site scripting (XSS) via the remark parameter to /cgi-bin/zonefw.cgi. An authenticated attacker can inject arbitrary JavaScript that is stored and executed when other users view the affected page.
CVE-2026-34808MedApr 2, 2026
risk 0.42cvss 6.4epss 0.00
Endian Firewall version 3.3.25 and prior allow stored cross-site scripting (XSS) via the remark parameter to /cgi-bin/outgoingfw.cgi. An authenticated attacker can inject arbitrary JavaScript that is stored and executed when other users view the affected page.
CVE-2026-34807MedApr 2, 2026
risk 0.42cvss 6.4epss 0.00
Endian Firewall version 3.3.25 and prior allow stored cross-site scripting (XSS) via the remark parameter to /cgi-bin/incoming.cgi. An authenticated attacker can inject arbitrary JavaScript that is stored and executed when other users view the affected page.
CVE-2026-34806MedApr 2, 2026
risk 0.42cvss 6.4epss 0.00
Endian Firewall version 3.3.25 and prior allow stored cross-site scripting (XSS) via the remark parameter to /cgi-bin/snat.cgi. An authenticated attacker can inject arbitrary JavaScript that is stored and executed when other users view the affected page.
CVE-2026-34805MedApr 2, 2026
risk 0.42cvss 6.4epss 0.00
Endian Firewall version 3.3.25 and prior allow stored cross-site scripting (XSS) via the remark parameter to /cgi-bin/dnat.cgi. An authenticated attacker can inject arbitrary JavaScript that is stored and executed when other users view the affected page.
CVE-2026-34804MedApr 2, 2026
risk 0.42cvss 6.4epss 0.00
Endian Firewall version 3.3.25 and prior allow stored cross-site scripting (XSS) via the dscp parameter to /manage/qos/rules/. An authenticated attacker can inject arbitrary JavaScript that is stored and executed when other users view the affected page.
CVE-2026-34803MedApr 2, 2026
risk 0.42cvss 6.4epss 0.00
Endian Firewall version 3.3.25 and prior allow stored cross-site scripting (XSS) via the name parameter to /manage/qos/classes/. An authenticated attacker can inject arbitrary JavaScript that is stored and executed when other users view the affected page.
CVE-2026-34802MedApr 2, 2026
risk 0.42cvss 6.4epss 0.00
Endian Firewall version 3.3.25 and prior allow stored cross-site scripting (XSS) via the remark user ham spam parameter to /cgi-bin/salearn.cgi. An authenticated attacker can inject arbitrary JavaScript that is stored and executed when other users view the affected page.
CVE-2026-34801MedApr 2, 2026
risk 0.42cvss 6.4epss 0.00
Endian Firewall version 3.3.25 and prior allow stored cross-site scripting (XSS) via the remark parameter to /manage/dhcp/fixed_leases/. An authenticated attacker can inject arbitrary JavaScript that is stored and executed when other users view the affected page.
CVE-2026-34800MedApr 2, 2026
risk 0.42cvss 6.4epss 0.00
Endian Firewall version 3.3.25 and prior allow stored cross-site scripting (XSS) via the NAME parameter to /cgi-bin/uplinkeditor.cgi. An authenticated attacker can inject arbitrary JavaScript that is stored and executed when other users view the affected page.
CVE-2026-34799MedApr 2, 2026
risk 0.42cvss 6.4epss 0.00
Endian Firewall version 3.3.25 and prior allow stored cross-site scripting (XSS) via the remark parameter to /manage/dnsmasq/hosts/. An authenticated attacker can inject arbitrary JavaScript that is stored and executed when other users view the affected page.
CVE-2026-34798MedApr 2, 2026
risk 0.42cvss 6.4epss 0.00
Endian Firewall version 3.3.25 and prior allow stored cross-site scripting (XSS) via the remark parameter to /cgi-bin/routing.cgi. An authenticated attacker can inject arbitrary JavaScript that is stored and executed when other users view the affected page.

Page 2 of 2