CVE-2026-34794

CVSS v3.1

8.8

High

AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Endian Firewall version 3.3.25 and prior allow authenticated users to execute arbitrary OS commands via the DATE parameter to /cgi-bin/logs ids.cgi. The DATE parameter value is used to construct a file path that is passed to a Perl open() call, which allows command injection due to an incomplete regular expression validation.

Fix

OS Command Injection

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-78

Related Identifiers

CVE-2026-34794

Affected Products

Endian Firewall

CVE-2026-34794

Weakness Enumeration

Related Identifiers

Affected Products

References · 3