CVE-2026-34807 Endian Firewall /cgi-bin/incoming.cgi remark Stored Cross-Site Scripting

Endian Firewall version 3.3.25 and prior allow stored cross-site scripting XSS via the remark parameter to /cgi-bin/incoming.cgi. An authenticated attacker can inject arbitrary JavaScript that is stored and executed when other users view the affected page...

CVE-2026-34805

Endian Firewall 3.3.25 and prior is affected by a stored XSS in the remark parameter of /cgi-bin/dnat.cgi. An authenticated attacker can inject JavaScript that is stored and executed when other users view the page. No remediation details are provided in the supplied documents.

CVE-2026-34798 Endian Firewall /cgi-bin/routing.cgi remark Stored Cross-Site Scripting

Endian Firewall version 3.3.25 and prior allow stored cross-site scripting XSS via the remark parameter to /cgi-bin/routing.cgi. An authenticated attacker can inject arbitrary JavaScript that is stored and executed when other users view the affected page...

CVE-2026-34797

CVE-2026-34797 - Endian Firewall : Endian Firewall versions 3.3.25 and earlier are affected. Authenticated users can run arbitrary OS commands via the DATE parameter in /cgi-bin/logs_smtp.cgi. The value is used to build a file path passed to a Perl open() call, with incomplete regex validation en...

CVE-2026-34795

Endian Firewall version 3.3.25 and prior allow authenticated users to execute arbitrary OS commands via the DATE parameter to /cgi-bin/logslog.cgi. The DATE parameter value is used to construct a file path that is passed to a Perl open call, which allows command injection due to an incomplete...

CVE-2026-34796

Endian Firewall version 3.3.25 and prior allow authenticated users to execute arbitrary OS commands via the DATE parameter to /cgi-bin/logsopenvpn.cgi. The DATE parameter value is used to construct a file path that is passed to a Perl open call, which allows command injection due to an incomplete...

CVE-2026-34795 Endian Firewall /cgi-bin/logs_log.cgi DATE Perl Command Injection

Endian Firewall version 3.3.25 and prior allow authenticated users to execute arbitrary OS commands via the DATE parameter to /cgi-bin/logslog.cgi. The DATE parameter value is used to construct a file path that is passed to a Perl open call, which allows command injection due to an incomplete...

CVE-2026-34793

Endian Firewall version 3.3.25 and prior allow authenticated users to execute arbitrary OS commands via the DATE parameter to /cgi-bin/logsfirewall.cgi. The DATE parameter value is used to construct a file path that is passed to a Perl open call, which allows command injection due to an incomplet...

CVE-2026-34790 Endian Firewall /cgi-bin/backup.cgi remove ARCHIVE Directory Traversal

Endian Firewall version 3.3.25 and prior allow authenticated users to delete arbitrary files via directory traversal in the remove ARCHIVE parameter to /cgi-bin/backup.cgi. The remove ARCHIVE parameter value is used to construct a file path without sanitization of directory traversal sequences,...

CVE-2026-34790

Endian Firewall versions 3.3.25 and prior are affected. The vulnerability resides in /cgi-bin/backup.cgi where the remove ARCHIVE parameter is used to build a file path without sanitizing directory traversal sequences, and the path is passed to unlink(). This allows an authenticated user to delet...

Endian Firewall 操作系统命令注入漏洞

Endian Firewall is a network security firewall system from Endian. An operating system command injection vulnerability exists in the Endian Firewall DATE parameter, which stems from incomplete regular expression validation of the DATE parameter in /cgi-bin/logsopenvpn.cgi, and can be exploited by...

Endian Firewall 操作系统命令注入漏洞

Endian Firewall is a network security firewall system developed by Endian Corporation. Versions of Endian Firewall 3.3.25 and earlier contained a vulnerability related to operating system command injection. This vulnerability stemmed from incomplete regular expression validation for the DATE...

PT-2026-29773

Endian Firewall version 3.3.25 and prior allow stored cross-site scripting XSS via the user parameter to /cgi-bin/proxyuser.cgi. An authenticated attacker can inject arbitrary JavaScript that is stored and executed when other users view the affected page...

Endian Firewall 跨站脚本漏洞

Endian Firewall is a network security firewall system from Endian. A cross-site scripting vulnerability exists in the Endian Firewall REMARK parameter, which stems from improper handling of the REMARK parameter in /cgi-bin/openvpnclient.cgi, and can be exploited by an attacker to inject malicious...

PT-2026-29767

Endian Firewall version 3.3.25 and prior allow stored cross-site scripting XSS via the remark parameter to /cgi-bin/incoming.cgi. An authenticated attacker can inject arbitrary JavaScript that is stored and executed when other users view the affected page...

PT-2026-29751

Name of the Vulnerable Software and Affected Versions Endian Firewall versions 3.3.25 and prior Description Endian Firewall versions 3.3.25 and earlier allow authenticated users to execute arbitrary OS commands via the DATE parameter to the '/cgi-bin/logs proxy.cgi' API endpoint. The DATE paramet...

TRENDnet TEW-657BRM 操作系统命令注入漏洞

TRENDnet TEW-657BRM is a WiFi router produced by the TRENDnet company. The version 1.00.1 of Trendnet TEW-657BRM has a vulnerability related to operating system command injection. This vulnerability stems from incorrect handling of parameters for the Edit function in the file /setup.cgi,...

CVE-2026-5312

CVE-2026-5312 affects D-Link DNS-1xx NAS models (e.g., DNS-120, DNS-320/320L/320LW/321, DNS-327L, DNS-1100-4, DNS-1550-04, among others) with the dsk_mgr.cgi Get_current_raidtype path. The vulnerability concerns the functions under /cgi-bin/dsk_mgr.cgi (including Get_Volume_Mapping, Get_current_r...

CVE-2026-5311 D-Link DNS-1550-04 file_center.cgi Webdav_Access_List access control

A security flaw has been discovered in D-Link DNS-120, DNR-202L, DNS-315L, DNS-320, DNS-320L, DNS-320LW, DNS-321, DNR-322L, DNS-323, DNS-325, DNS-326, DNS-327L, DNR-326, DNS-340L, DNS-343, DNS-345, DNS-726-4, DNS-1100-4, DNS-1200-05 and DNS-1550-04 up to 20260205. Affected is the function...

CVE-2026-5177

A weakness has been identified in Totolink A3300R 17.0.0cu.557b20221024. Affected by this vulnerability is the function setWiFiBasicCfg of the file /cgi-bin/cstecgi.cgi. Executing a manipulation of the argument rxRate can lead to command injection. The attack may be launched remotely. The exploit...