CVE-2026-34799 is a stored cross-site scripting (XSS) vulnerability classified under CWE-79, affecting Endian Firewall version 3.3.25 and prior. The vulnerability arises from improper neutralization of input during web page generation, specifically in the 'remark' parameter of the /manage/dnsmasq/hosts/ interface. An authenticated attacker can inject arbitrary JavaScript code into this parameter, which is then stored persistently on the server. When other authenticated users access the affected page, the malicious script executes in their browsers within the context of the firewall's web interface. This can lead to a range of attacks including session hijacking, theft of sensitive information, or performing unauthorized actions on behalf of the victim user. The attack vector requires the attacker to have at least low-level authenticated access to the firewall’s management interface, but no elevated privileges are necessary. User interaction is required in that other users must visit the compromised page to trigger the payload. The vulnerability has a CVSS 4.0 score of 5.1, reflecting medium severity due to the need for authentication and user interaction, but with a low attack complexity and no requirement for privileges beyond authentication. There are no known public exploits or patches available at the time of publication, increasing the importance of proactive mitigation. The vulnerability highlights a failure in input validation and output encoding mechanisms within the web management interface, a common vector for XSS attacks in web applications.

The primary impact of CVE-2026-34799 is the potential compromise of the confidentiality and integrity of user sessions within the Endian Firewall management interface. Successful exploitation could allow attackers to hijack sessions, steal credentials, or perform unauthorized administrative actions if the victim has elevated privileges. This could lead to further compromise of the firewall device, potentially allowing attackers to alter firewall rules, disable security controls, or pivot into the protected network. Although the vulnerability requires authentication, many organizations use Endian Firewall in critical network security roles, so even low-privileged user accounts could be leveraged for significant damage. The stored nature of the XSS increases risk as multiple users can be affected over time. The lack of known public exploits currently limits immediate widespread impact, but the vulnerability remains a significant risk if exploited internally or by attackers who gain initial access. Organizations relying on Endian Firewall for perimeter or internal network security could face increased risk of network compromise, data leakage, or service disruption if this vulnerability is exploited.

To mitigate CVE-2026-34799, organizations should first check for any official patches or updates from Endian and apply them promptly once available. In the absence of patches, administrators should restrict access to the firewall management interface to trusted networks and users only, minimizing the number of authenticated users who can reach the vulnerable page. Implement strict role-based access controls to limit who can modify DNS host entries or use the 'remark' parameter. Employ web application firewalls (WAFs) or intrusion prevention systems (IPS) with signatures to detect and block XSS payloads targeting the affected endpoint. Additionally, administrators can audit and sanitize existing 'remark' parameter entries to remove any malicious scripts. Educate users with access to the firewall interface about the risks of clicking unknown or suspicious links within the management UI. Finally, monitor firewall logs and user activity for unusual behavior that could indicate exploitation attempts. Organizations should also consider network segmentation to isolate management interfaces from general user networks to reduce exposure.