Authenticated Command Injection Flaws Disclosed in Endian Firewall CGI Scripts
Two high-severity vulnerabilities, CVE-2026-34794 and CVE-2026-34791, were disclosed in Endian Firewall 3.3.25 and earlier, exposing authenticated users to arbitrary operating system command execution through the DATE parameter in the /cgi-bin/logs_ids.cgi and /cgi-bin/logs_proxy.cgi endpoints. Both flaws were classified as CWE-78 command injection issues and stem from incomplete regular-expression validation that lets attacker-controlled input influence a file path passed to a Perl open() call.
The vulnerabilities carry the same CVSS v3.1 score vector, AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H, indicating network-reachable exploitation with low attack complexity and low privileges, with high impact on confidentiality, integrity, and availability. The disclosures were submitted through VulnCheck and reference vendor support resources from Endian, highlighting that organizations running affected firewall versions should review exposure of these CGI components and prioritize remediation.
Timeline
Apr 2, 2026
Endian Firewall CVE-2026-34797 command injection flaw disclosed
A fourth authenticated command injection vulnerability, CVE-2026-34797, was disclosed in Endian Firewall 3.3.25 and earlier. The flaw affects the DATE parameter in /cgi-bin/logs_smtp.cgi, where incomplete validation allows arbitrary OS command execution through a Perl open() call.
Apr 2, 2026
Endian Firewall CVE-2026-34796 command injection flaw disclosed
A third authenticated command injection vulnerability, CVE-2026-34796, was disclosed in Endian Firewall 3.3.25 and earlier. The flaw affects the DATE parameter in /cgi-bin/logs_openvpn.cgi, where incomplete validation allows arbitrary OS command execution through a Perl open() call.
Apr 2, 2026
Endian Firewall CVE-2026-34795 command injection flaw disclosed
A fifth authenticated command injection vulnerability, CVE-2026-34795, was disclosed in Endian Firewall 3.3.25 and earlier. The flaw affects the DATE parameter in /cgi-bin/logs_log.cgi, where incomplete validation allows arbitrary OS command execution through a Perl open() call.
Apr 2, 2026
Endian Firewall command injection flaws disclosed as CVE-2026-34791 and CVE-2026-34794
Two authenticated command injection vulnerabilities affecting Endian Firewall 3.3.25 and earlier were disclosed. The flaws involve insufficient validation of the DATE parameter in /cgi-bin/logs_proxy.cgi and /cgi-bin/logs_ids.cgi, allowing arbitrary OS command execution via a Perl open() call.
See the full picture in Mallory
Mallory subscribers get deeper analysis on every story, including:
Who’s affected and how
Deep-dive technical analysis
Actionable next steps for your team
IPs, domains, hashes, and more
Ask questions and take action on every story
Filter by topic, classification, timeframe
Get matching stories delivered automatically
Related Entities
Vulnerabilities
Sources
1 more from sources like cvefeed high severity
Related Stories
Unauthenticated Command Injection Flaws Disclosed in Totolink A7100RU Router
Two critical vulnerabilities, **CVE-2026-5851** and **CVE-2026-5976**, were disclosed in the **Totolink A7100RU** router running firmware `7.4cu.2313_b20191024`, exposing the device to remote **OS command injection** without authentication or user interaction. Both flaws affect `/cgi-bin/cstecgi.cgi` in the router's CGI handler: CVE-2026-5851 is tied to the `setUPnPCfg` function through the `enable` argument, while CVE-2026-5976 affects the `setStorageCfg` function through the `sambaEnabled` argument. The vulnerabilities were classified under **CWE-78** and **CWE-77** and were assigned high to critical severity across CVSS versions, reflecting potential compromise of confidentiality, integrity, and availability. Public exploit information has reportedly been released, including references to **VulDB** and a **GitHub** disclosure repository, increasing the likelihood of exploitation against exposed devices that have not been updated or otherwise mitigated.
2 weeks ago
Publicly Exploitable Command Injection Flaws Disclosed in Totolink A3300R Router
Two high-severity command injection vulnerabilities have been disclosed in the **Totolink A3300R** router, both affecting firmware version `17.0.0cu.557_b20221024` and exposing the device to remote code execution through `/cgi-bin/cstecgi.cgi`. The flaws are tracked as **`CVE-2026-5104`** and **`CVE-2026-5101`**. `CVE-2026-5104` affects the `setStaticRoute` function, where manipulation of the `ip` argument can trigger command injection, while `CVE-2026-5101` affects the `setLanCfg` function in the Parameter Handler component through the `lanIp` argument. Public exploit material has been disclosed for both issues, according to VulDB and referenced advisory material, raising the risk of active abuse against exposed devices. NVD subsequently added initial analysis for the CVEs, assigning higher **CVSS v3.1** severity assessments than the original CNA submissions and mapping the weaknesses to **`CWE-77`**, **`CWE-74`**, and **`CWE-78`**. The disclosures indicate that attackers could remotely inject operating system commands via crafted requests, making patching, exposure reduction, and monitoring of internet-facing Totolink A3300R systems urgent priorities.
1 weeks ago
Critical Root Access and Arbitrary File Write Flaws Disclosed in Network-Exposed Systems
Two high-severity vulnerabilities were disclosed affecting exposed application and device management surfaces, including a flaw that can give attackers **root access** and another that enables **arbitrary file write** through path traversal. **CVE-2026-3587** describes an unauthenticated remote attack path in a hidden CLI function that lets an attacker escape a restricted prompt and gain root access to the underlying Linux operating system, potentially leading to full device compromise. The issue was mapped to `CWE-912` and assigned a `CVSS v3.1` score vector of `AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H`, with CERT VDE publishing advisory `VDE-2026-020`. A separate vulnerability, **CVE-2026-5027**, affects Langflow's `POST /api/v2/files` endpoint, where improper sanitization of the multipart `filename` parameter allows path traversal using `../` sequences. An authenticated attacker can exploit the bug to write files to arbitrary filesystem locations, creating a route to compromise confidentiality, integrity, and availability. The flaw was classified as `CWE-22`, carries the `CVSS v3.1` vector `AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H`, and is referenced in Tenable advisory `TRA-2026-26`.
1 months ago