CVE-2026-34804 is a stored cross-site scripting vulnerability classified under CWE-79, affecting Endian Firewall version 3.3.25 and prior. The vulnerability arises from improper neutralization of user-supplied input in the 'dscp' parameter on the /manage/qos/rules/ web interface. An attacker with authenticated access can inject arbitrary JavaScript code that is persistently stored on the firewall device. When other users access the affected QoS rules management page, the malicious script executes in their browsers within the context of the firewall's web interface. This can lead to unauthorized actions such as session hijacking, theft of sensitive information, or manipulation of firewall settings. The vulnerability requires low attack complexity and no additional privileges beyond authentication, but does require user interaction to trigger the payload. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N) reflects network attack vector, low complexity, no additional privileges beyond authentication, and user interaction. No known exploits are currently in the wild, and no official patches have been published at the time of disclosure. This vulnerability highlights the risk of insufficient input validation in web management interfaces of security appliances.

The impact of CVE-2026-34804 is primarily on the confidentiality and integrity of the firewall management environment. Successful exploitation allows an attacker to execute arbitrary JavaScript in the context of the firewall’s web interface, potentially leading to session hijacking, unauthorized changes to firewall rules, or disclosure of sensitive administrative data. This can undermine the security posture of the protected network by allowing attackers to bypass firewall protections or gain deeper access. Since the vulnerability requires authenticated access, the risk is higher in environments where multiple users have administrative or management privileges, or where credentials may be compromised or weak. The stored nature of the XSS means the malicious payload persists and can affect multiple users over time. Although the vulnerability does not directly impact availability, the indirect consequences of compromised firewall settings could lead to network disruptions or exposure to further attacks.

To mitigate CVE-2026-34804, organizations should immediately upgrade Endian Firewall to a version that addresses this vulnerability once available. In the absence of an official patch, administrators should restrict access to the firewall management interface to trusted networks and users only, enforce strong authentication mechanisms, and monitor for unusual activity. Implementing web application firewall (WAF) rules to detect and block suspicious input patterns targeting the 'dscp' parameter may provide temporary protection. Additionally, administrators should educate users with access to the firewall interface about the risks of stored XSS and encourage cautious behavior when interacting with QoS rules pages. Regularly auditing firewall configurations and logs for unauthorized changes can help detect exploitation attempts. Finally, consider isolating management interfaces from general user networks to reduce exposure.