PT-2026-29757 · Endian Technologies · Endian Firewall
Alex Williams
+1
·
Published
2026-04-02
·
Updated
2026-04-07
·
CVE-2026-34797
CVSS v3.1
8.8
High
| Vector | AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
Endian Firewall versions 3.3.25 and prior
Description
Endian Firewall versions 3.3.25 and earlier allow authenticated users to execute arbitrary OS commands through the
DATE parameter in the '/cgi-bin/logs smtp.cgi' endpoint. The vulnerability arises from an incomplete regular expression validation when constructing a file path using the DATE parameter value, which is then passed to a Perl open() call, leading to command injection.Recommendations
Update Endian Firewall to a version later than 3.3.25.
Fix
OS Command Injection
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Endian Firewall