CVE-2026-34790

CVSS v3.1

7.1

High

AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L

Endian Firewall version 3.3.25 and prior allow authenticated users to delete arbitrary files via directory traversal in the remove ARCHIVE parameter to /cgi-bin/backup.cgi. The remove ARCHIVE parameter value is used to construct a file path without sanitization of directory traversal sequences, which is then passed to an unlink() call.

Fix

Path traversal

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-22

Related Identifiers

CVE-2026-34790

Affected Products

Endian Firewall

CVE-2026-34790

Weakness Enumeration

Related Identifiers

Affected Products

References · 3