Endian Firewall Community vulnerabilities
35 known vulnerabilities affecting endian/firewall_community.
Total CVEs
35
CISA KEV
0
Public exploits
0
Exploited in wild
0
Severity breakdown
HIGH9MEDIUM26
Vulnerabilities
Page 1 of 2
CVE-2026-34795P2HIGHCVSS 8.8≤ 3.3.252026-04-02
CVE-2026-34795 [HIGH] CWE-78 CVE-2026-34795: Endian Firewall version 3.3.25 and prior allow authenticated users to execute arbitrary OS commands
Endian Firewall version 3.3.25 and prior allow authenticated users to execute arbitrary OS commands via the DATE parameter to /cgi-bin/logs_log.cgi. The DATE parameter value is used to construct a file path that is passed to a Perl open() call, which allows command injection due to an incomplete regular expression validation.
nvd
CVE-2026-34796P2HIGHCVSS 8.8≤ 3.3.252026-04-02
CVE-2026-34796 [HIGH] CWE-78 CVE-2026-34796: Endian Firewall version 3.3.25 and prior allow authenticated users to execute arbitrary OS commands
Endian Firewall version 3.3.25 and prior allow authenticated users to execute arbitrary OS commands via the DATE parameter to /cgi-bin/logs_openvpn.cgi. The DATE parameter value is used to construct a file path that is passed to a Perl open() call, which allows command injection due to an incomplete regular expression validation.
nvd
CVE-2026-34792P2HIGHCVSS 8.8≤ 3.3.252026-04-02
CVE-2026-34792 [HIGH] CWE-78 CVE-2026-34792: Endian Firewall version 3.3.25 and prior allow authenticated users to execute arbitrary OS commands
Endian Firewall version 3.3.25 and prior allow authenticated users to execute arbitrary OS commands via the DATE parameter to /cgi-bin/logs_clamav.cgi. The DATE parameter value is used to construct a file path that is passed to a Perl open() call, which allows command injection due to an incomplete regular expression validation.
nvd
CVE-2026-34791P2HIGHCVSS 8.8≤ 3.3.252026-04-02
CVE-2026-34791 [HIGH] CWE-78 CVE-2026-34791: Endian Firewall version 3.3.25 and prior allow authenticated users to execute arbitrary OS commands
Endian Firewall version 3.3.25 and prior allow authenticated users to execute arbitrary OS commands via the DATE parameter to /cgi-bin/logs_proxy.cgi. The DATE parameter value is used to construct a file path that is passed to a Perl open() call, which allows command injection due to an incomplete regular expression validation.
nvd
CVE-2026-34797P2HIGHCVSS 8.8≤ 3.3.252026-04-02
CVE-2026-34797 [HIGH] CWE-78 CVE-2026-34797: Endian Firewall version 3.3.25 and prior allow authenticated users to execute arbitrary OS commands
Endian Firewall version 3.3.25 and prior allow authenticated users to execute arbitrary OS commands via the DATE parameter to /cgi-bin/logs_smtp.cgi. The DATE parameter value is used to construct a file path that is passed to a Perl open() call, which allows command injection due to an incomplete regular expression validation.
nvd
CVE-2026-34793P2HIGHCVSS 8.8≤ 3.3.252026-04-02
CVE-2026-34793 [HIGH] CWE-78 CVE-2026-34793: Endian Firewall version 3.3.25 and prior allow authenticated users to execute arbitrary OS commands
Endian Firewall version 3.3.25 and prior allow authenticated users to execute arbitrary OS commands via the DATE parameter to /cgi-bin/logs_firewall.cgi. The DATE parameter value is used to construct a file path that is passed to a Perl open() call, which allows command injection due to an incomplete regular expression validation.
nvd
CVE-2026-34794P2HIGHCVSS 8.8≤ 3.3.252026-04-02
CVE-2026-34794 [HIGH] CWE-78 CVE-2026-34794: Endian Firewall version 3.3.25 and prior allow authenticated users to execute arbitrary OS commands
Endian Firewall version 3.3.25 and prior allow authenticated users to execute arbitrary OS commands via the DATE parameter to /cgi-bin/logs_ids.cgi. The DATE parameter value is used to construct a file path that is passed to a Perl open() call, which allows command injection due to an incomplete regular expression validation.
nvd
CVE-2021-27201P3HIGHCVSS 8.8v3.3.22021-02-15
CVE-2021-27201 [HIGH] CWE-78 CVE-2021-27201: Endian Firewall Community (aka EFW) 3.3.2 allows remote authenticated users to execute arbitrary OS
Endian Firewall Community (aka EFW) 3.3.2 allows remote authenticated users to execute arbitrary OS commands via shell metacharacters in a backup comment.
nvd
CVE-2026-34790P3HIGHCVSS 8.1≤ 3.3.252026-04-02
CVE-2026-34790 [HIGH] CWE-22 CVE-2026-34790: Endian Firewall version 3.3.25 and prior allow authenticated users to delete arbitrary files via dir
Endian Firewall version 3.3.25 and prior allow authenticated users to delete arbitrary files via directory traversal in the remove ARCHIVE parameter to /cgi-bin/backup.cgi. The remove ARCHIVE parameter value is used to construct a file path without sanitization of directory traversal sequences, which is then passed to an unlink() call.
nvd
CVE-2026-34807P4MEDIUMCVSS 5.4≤ 3.3.252026-04-02
CVE-2026-34807 [MEDIUM] CWE-79 CVE-2026-34807: Endian Firewall version 3.3.25 and prior allow stored cross-site scripting (XSS) via the remark para
Endian Firewall version 3.3.25 and prior allow stored cross-site scripting (XSS) via the remark parameter to /cgi-bin/incoming.cgi. An authenticated attacker can inject arbitrary JavaScript that is stored and executed when other users view the affected page.
nvd
CVE-2026-34814P4MEDIUMCVSS 5.4≤ 3.3.252026-04-02
CVE-2026-34814 [MEDIUM] CWE-79 CVE-2026-34814: Endian Firewall version 3.3.25 and prior allow stored cross-site scripting (XSS) via the group param
Endian Firewall version 3.3.25 and prior allow stored cross-site scripting (XSS) via the group parameter to /cgi-bin/proxygroup.cgi. An authenticated attacker can inject arbitrary JavaScript that is stored and executed when other users view the affected page.
nvd
CVE-2026-34817P4MEDIUMCVSS 5.4≤ 3.3.252026-04-02
CVE-2026-34817 [MEDIUM] CWE-79 CVE-2026-34817: Endian Firewall version 3.3.25 and prior allow stored cross-site scripting (XSS) via the ADDRESS BCC
Endian Firewall version 3.3.25 and prior allow stored cross-site scripting (XSS) via the ADDRESS BCC parameter to /cgi-bin/smtprouting.cgi. An authenticated attacker can inject arbitrary JavaScript that is stored and executed when other users view the affected page.
nvd
CVE-2026-34819P4MEDIUMCVSS 5.4≤ 3.3.252026-04-02
CVE-2026-34819 [MEDIUM] CWE-79 CVE-2026-34819: Endian Firewall version 3.3.25 and prior allow stored cross-site scripting (XSS) via the REMARK para
Endian Firewall version 3.3.25 and prior allow stored cross-site scripting (XSS) via the REMARK parameter to /cgi-bin/openvpnclient.cgi. An authenticated attacker can inject arbitrary JavaScript that is stored and executed when other users view the affected page.
nvd
CVE-2026-34813P4MEDIUMCVSS 5.4≤ 3.3.252026-04-02
CVE-2026-34813 [MEDIUM] CWE-79 CVE-2026-34813: Endian Firewall version 3.3.25 and prior allow stored cross-site scripting (XSS) via the user parame
Endian Firewall version 3.3.25 and prior allow stored cross-site scripting (XSS) via the user parameter to /cgi-bin/proxyuser.cgi. An authenticated attacker can inject arbitrary JavaScript that is stored and executed when other users view the affected page.
nvd
CVE-2026-34798P4MEDIUMCVSS 5.4≤ 3.3.252026-04-02
CVE-2026-34798 [MEDIUM] CWE-79 CVE-2026-34798: Endian Firewall version 3.3.25 and prior allow stored cross-site scripting (XSS) via the remark para
Endian Firewall version 3.3.25 and prior allow stored cross-site scripting (XSS) via the remark parameter to /cgi-bin/routing.cgi. An authenticated attacker can inject arbitrary JavaScript that is stored and executed when other users view the affected page.
nvd
CVE-2026-34805P4MEDIUMCVSS 5.4≤ 3.3.252026-04-02
CVE-2026-34805 [MEDIUM] CWE-79 CVE-2026-34805: Endian Firewall version 3.3.25 and prior allow stored cross-site scripting (XSS) via the remark para
Endian Firewall version 3.3.25 and prior allow stored cross-site scripting (XSS) via the remark parameter to /cgi-bin/dnat.cgi. An authenticated attacker can inject arbitrary JavaScript that is stored and executed when other users view the affected page.
nvd
CVE-2026-34800P4MEDIUMCVSS 5.4≤ 3.3.252026-04-02
CVE-2026-34800 [MEDIUM] CWE-79 CVE-2026-34800: Endian Firewall version 3.3.25 and prior allow stored cross-site scripting (XSS) via the NAME parame
Endian Firewall version 3.3.25 and prior allow stored cross-site scripting (XSS) via the NAME parameter to /cgi-bin/uplinkeditor.cgi. An authenticated attacker can inject arbitrary JavaScript that is stored and executed when other users view the affected page.
nvd
CVE-2026-34802P4MEDIUMCVSS 5.4≤ 3.3.252026-04-02
CVE-2026-34802 [MEDIUM] CWE-79 CVE-2026-34802: Endian Firewall version 3.3.25 and prior allow stored cross-site scripting (XSS) via the remark user
Endian Firewall version 3.3.25 and prior allow stored cross-site scripting (XSS) via the remark user ham spam parameter to /cgi-bin/salearn.cgi. An authenticated attacker can inject arbitrary JavaScript that is stored and executed when other users view the affected page.
nvd
CVE-2026-34806P4MEDIUMCVSS 5.4≤ 3.3.252026-04-02
CVE-2026-34806 [MEDIUM] CWE-79 CVE-2026-34806: Endian Firewall version 3.3.25 and prior allow stored cross-site scripting (XSS) via the remark para
Endian Firewall version 3.3.25 and prior allow stored cross-site scripting (XSS) via the remark parameter to /cgi-bin/snat.cgi. An authenticated attacker can inject arbitrary JavaScript that is stored and executed when other users view the affected page.
nvd
CVE-2026-34815P4MEDIUMCVSS 5.4≤ 3.3.252026-04-02
CVE-2026-34815 [MEDIUM] CWE-79 CVE-2026-34815: Endian Firewall version 3.3.25 and prior allow stored cross-site scripting (XSS) via the DOMAIN para
Endian Firewall version 3.3.25 and prior allow stored cross-site scripting (XSS) via the DOMAIN parameter to /cgi-bin/smtpdomains.cgi. An authenticated attacker can inject arbitrary JavaScript that is stored and executed when other users view the affected page.
nvd
1 / 2Next →