CVE-2026-34814 is a stored cross-site scripting (CWE-79) vulnerability affecting Endian Firewall version 3.3.25 and prior. The issue arises from improper neutralization of input in the group parameter of the /cgi-bin/proxygroup.cgi CGI script. Authenticated attackers can exploit this flaw to inject arbitrary JavaScript code, which is stored on the server and executed in the browsers of users who view the compromised page. This can lead to session hijacking, unauthorized actions, or other client-side impacts typical of stored XSS vulnerabilities. The CVSS 4.0 vector indicates network attack vector, low attack complexity, low privileges required, and user interaction needed.

Successful exploitation allows an authenticated attacker to execute arbitrary JavaScript in the context of other users' browsers when they view the affected page. This can result in theft of session tokens, defacement, or other malicious client-side actions. The vulnerability does not require high privileges but does require authentication and user interaction. There are no known exploits in the wild as of the published date.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Since no patch or official fix information is provided, users should monitor the vendor's security advisories for updates. In the meantime, restricting access to the affected CGI endpoint to trusted users and minimizing the number of users with authentication privileges may reduce risk. Avoiding use of the vulnerable parameter or sanitizing inputs at the application level could be considered as temporary mitigations if feasible.