CVE-2026-34801 is a stored cross-site scripting (XSS) vulnerability identified in Endian Firewall version 3.3.25 and prior. The flaw exists due to improper neutralization of user-supplied input in the 'remark' parameter on the DHCP fixed leases management page (/manage/dhcp/fixed_leases/). An authenticated attacker with at least limited privileges can inject arbitrary JavaScript code into this parameter. Because the input is stored persistently, the malicious script executes whenever other authenticated users view the affected page, enabling persistent XSS attacks. This vulnerability stems from CWE-79, which involves failure to properly sanitize or encode input before including it in dynamically generated web pages. The CVSS 4.0 vector indicates network attack vector (AV:N), low attack complexity (AC:L), no privileges required (PR:L), and user interaction required (UI:P). The vulnerability does not affect confidentiality, integrity, or availability directly but can lead to indirect impacts such as session hijacking or privilege escalation via script execution in the victim's browser context. No patches or official fixes have been published yet, and no known exploits are reported in the wild. Endian Firewall is a network security appliance widely used in small to medium enterprises, especially in Europe and Latin America, making these regions more susceptible to targeted attacks leveraging this vulnerability.

The primary impact of CVE-2026-34801 is the potential for attackers to execute arbitrary JavaScript in the browsers of authenticated users who access the vulnerable page. This can lead to session hijacking, theft of authentication tokens, unauthorized actions performed with the victim's privileges, and potential lateral movement within the network. Although the vulnerability requires authentication, the low complexity of exploitation and the persistent nature of the XSS increase the risk. Organizations relying on Endian Firewall for perimeter security could face compromised administrative sessions, leading to further compromise of network infrastructure. The vulnerability could also undermine user trust and compliance with security policies. Since no public exploits are known yet, the risk is currently moderate but could escalate if exploit code becomes available.

Organizations should immediately restrict access to the Endian Firewall management interface to trusted administrators only, ideally via VPN or secure management networks. Upgrade to a patched version of Endian Firewall once available from the vendor. In the interim, implement web application firewall (WAF) rules to detect and block suspicious input patterns targeting the 'remark' parameter. Conduct regular audits of DHCP fixed lease entries to identify and remove suspicious or unexpected remarks. Educate administrators about the risks of stored XSS and encourage cautious handling of input fields. Consider implementing Content Security Policy (CSP) headers to limit the impact of injected scripts. Monitor logs for unusual activity or repeated access to the vulnerable page. Finally, enforce strong authentication and session management controls to minimize the impact of any successful exploitation.