anonhaven
Ad

CVE-2026-34790

HIGH CVSS 4.0: 7.1 EPSS 0.21%
Updated Apr 07, 2026
Endian Firewall
Parameter Value
CVSS 7.1 (HIGH)
Affected Versions before 3.3.25
Type CWE-22 (Path Traversal)
Vendor Endian Firewall
Public PoC No

Endian Firewall version 3.3.25 and prior allow authenticated users to delete arbitrary files via directory traversal in the remove ARCHIVE parameter to /cgi-bin/backup.cgi. The remove ARCHIVE parameter value is used to construct a file path without sanitization of directory traversal sequences, which is then passed to an unlink() call.

Attack Parameters

Attack Vector
Network
Can be exploited remotely
Attack Complexity
Low
Easy to exploit
Attack Requirements
None
No additional conditions
Privileges Required
Low
Basic privileges needed
User Interaction
None
No user interaction needed

Impact Assessment

Confidentiality
None
No data leak
Integrity
High
Complete data modification
Availability
Low
Partial disruption

CVSS Vector v4.0

Weakness Type (CWE)

CWE-22 Path Traversal

Vulnerable Products 1

Configuration From (including) Up to (excluding)
Endian Firewall_Community
cpe:2.3:a:endian:firewall_community:*:*:*:*:*:*:*:*
 <= 3.3.25

References 2

https://help.endian.com/hc/en-us/sections/360004371358-Community
disclosure@vulncheck.com
https://www.vulncheck.com/advisories/endian-firewall-cgi-bin-backup-cgi-remove-…
disclosure@vulncheck.com
Share Post Share Share Share

Related Vulnerabilities

CVE-2026-34823

Endian Firewall

5.1

CVE-2026-34822

Endian Firewall

5.1

CVE-2026-34821

Endian Firewall

5.1

CVE-2026-34820

Endian Firewall

5.1

CVE-2026-34819

Endian Firewall

5.1