CVE-2026-34802 is a stored cross-site scripting (XSS) vulnerability classified under CWE-79, affecting Endian Firewall version 3.3.25 and prior. The vulnerability exists due to improper neutralization of input during web page generation, specifically in the 'remark user ham spam' parameter processed by the /cgi-bin/salearn.cgi CGI script. An attacker with valid authentication credentials can inject arbitrary JavaScript code into this parameter. Because the input is stored, the malicious script persists on the server and executes in the context of other users who access the affected page, potentially compromising their sessions or enabling further attacks such as privilege escalation or data theft. The vulnerability does not require elevated privileges beyond authentication, nor does it require additional user interaction beyond viewing the infected page. The CVSS 4.0 vector indicates network attack vector (AV:N), low attack complexity (AC:L), no privileges required (PR:L), user interaction required (UI:P), and limited scope and impact on confidentiality, integrity, and availability (VC:N, VI:N, VA:N). The medium severity score of 5.1 reflects these factors. No public exploits have been reported yet, but the vulnerability poses a risk to organizations using Endian Firewall appliances, especially in environments where multiple users access the management interface. The root cause is insufficient input validation and output encoding in the web interface, allowing script injection. Remediation involves applying patches or updates from Endian (if available), or implementing strict input validation and output encoding on the affected parameter. Additionally, restricting access to the management interface and monitoring for suspicious activity can reduce risk.

The primary impact of CVE-2026-34802 is the potential for attackers to execute arbitrary JavaScript in the context of other authenticated users of the Endian Firewall management interface. This can lead to session hijacking, theft of authentication tokens, unauthorized actions performed on behalf of legitimate users, and potential lateral movement within the network. While the vulnerability does not directly compromise the firewall's core functionality or network traffic filtering, it undermines the integrity and confidentiality of the administrative interface. Exploitation could result in unauthorized configuration changes, exposure of sensitive network information, or disruption of firewall management operations. Given that the vulnerability requires authentication, the attacker must already have some level of access, but the stored nature of the XSS increases the risk by affecting multiple users over time. Organizations relying on Endian Firewall for perimeter security may face increased risk of compromise if this vulnerability is exploited, potentially leading to broader network security breaches.

To mitigate CVE-2026-34802, organizations should first check for and apply any official patches or updates released by Endian addressing this vulnerability. If patches are not yet available, implement strict input validation and output encoding on the 'remark user ham spam' parameter within the /cgi-bin/salearn.cgi endpoint to prevent script injection. Restrict access to the management interface to trusted IP addresses and enforce strong authentication mechanisms, including multi-factor authentication, to limit attacker access. Regularly audit user accounts and permissions to minimize the number of users with access to the vulnerable interface. Employ web application firewalls (WAFs) with rules designed to detect and block XSS payloads targeting this endpoint. Monitor logs for unusual activity or repeated access to the vulnerable CGI script. Educate administrators about the risks of stored XSS and encourage cautious behavior when interacting with user-generated content in the firewall interface. Finally, consider network segmentation to isolate management interfaces from general user networks, reducing the attack surface.