endian CVE Vulnerabilities & Metrics

Focus on endian vulnerabilities and metrics.

Last updated: 16 Apr 2026, 22:25 UTC

About endian Security Exposure

This page consolidates all known Common Vulnerabilities and Exposures (CVEs) associated with endian. We track both calendar-based metrics (using fixed periods) and rolling metrics (using gliding windows) to give you a comprehensive view of security trends and risk evolution. Use these insights to assess risk and plan your patching strategy.

For a broader perspective on cybersecurity threats, explore the comprehensive list of CVEs by vendor and product. Stay updated on critical vulnerabilities affecting major software and hardware providers.

Global CVE Overview

Total endian CVEs: 35
Earliest CVE date: 30 Jan 2008, 22:00 UTC
Latest CVE date: 02 Apr 2026, 15:16 UTC

Latest CVE reference: CVE-2026-34823

Rolling Stats

30-day Count (Rolling): 34
365-day Count (Rolling): 34

Calendar-based Variation

Calendar-based Variation compares a fixed calendar period (e.g., this month versus the same month last year), while Rolling Growth Rate uses a continuous window (e.g., last 30 days versus the previous 30 days) to capture trends independent of calendar boundaries.

Variations & Growth

Month Variation (Calendar): 0%
Year Variation (Calendar): 0%

Month Growth Rate (30-day Rolling): 0.0%
Year Growth Rate (365-day Rolling): 0.0%

Monthly CVE Trends (current vs previous Year)

Annual CVE Trends (Last 20 Years)

Critical endian CVEs (CVSS ≥ 9) Over 20 Years

CVSS Stats

Average CVSS: 0.41

Max CVSS: 6.5

Critical CVEs (≥9): 0

CVSS Range vs. Count

Range	Count
0.0-3.9	34
4.0-6.9	3
7.0-8.9	0
9.0-10.0	0

CVSS Distribution Chart

Top 5 Highest CVSS endian CVEs

These are the five CVEs with the highest CVSS scores for endian, sorted by severity first and recency.

CVE-2021-27201 endian Published on 15 Feb 2021, 19:15 UTC (CVSS: 6.5)
Endian Firewall Community (aka EFW) 3.3.2 allows remote authenticated users to execute arbitrary OS commands via shell metacharacters in a backup comment.
CVE-2012-4923 endian Published on 15 Sep 2012, 17:55 UTC (CVSS: 4.3)
Multiple cross-site scripting (XSS) vulnerabilities in Endian Firewall 2.4 allow remote attackers to inject arbitrary web script or HTML via the (1) createrule parameter to dnat.cgi, (2) addrule parameter to dansguardian.cgi, or (3) PATH_INFO to openvpn_users.cgi.
CVE-2008-0494 endian Published on 30 Jan 2008, 22:00 UTC (CVSS: 4.3)
Cross-site scripting (XSS) vulnerability in vpnum/userslist.php in Endian Firewall 2.1.2 allows remote attackers to inject arbitrary web script or HTML via the psearch parameter. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.
CVE-2026-34823 endian Published on 02 Apr 2026, 15:16 UTC (CVSS: 0)
Endian Firewall version 3.3.25 and prior allow stored cross-site scripting (XSS) via the remark parameter to /manage/password/web/. An authenticated attacker can inject arbitrary JavaScript that is stored and executed when other users view the affected page.
CVE-2026-34822 endian Published on 02 Apr 2026, 15:16 UTC (CVSS: 0)
Endian Firewall version 3.3.25 and prior allow stored cross-site scripting (XSS) via the new_cert_name parameter to /manage/ca/certificate/. An authenticated attacker can inject arbitrary JavaScript that is stored and executed when other users view the affected page.

All CVEs for endian

CVE-2026-34823 endian vulnerability CVSS: 0 02 Apr 2026, 15:16 UTC

Endian Firewall version 3.3.25 and prior allow stored cross-site scripting (XSS) via the remark parameter to /manage/password/web/. An authenticated attacker can inject arbitrary JavaScript that is stored and executed when other users view the affected page.

CVE-2026-34822 endian vulnerability CVSS: 0 02 Apr 2026, 15:16 UTC

Endian Firewall version 3.3.25 and prior allow stored cross-site scripting (XSS) via the new_cert_name parameter to /manage/ca/certificate/. An authenticated attacker can inject arbitrary JavaScript that is stored and executed when other users view the affected page.

CVE-2026-34821 endian vulnerability CVSS: 0 02 Apr 2026, 15:16 UTC

Endian Firewall version 3.3.25 and prior allow stored cross-site scripting (XSS) via the remark parameter to /manage/vpnauthentication/user/. An authenticated attacker can inject arbitrary JavaScript that is stored and executed when other users view the affected page.

CVE-2026-34820 endian vulnerability CVSS: 0 02 Apr 2026, 15:16 UTC

Endian Firewall version 3.3.25 and prior allow stored cross-site scripting (XSS) via the remark parameter to /manage/ipsec/. An authenticated attacker can inject arbitrary JavaScript that is stored and executed when other users view the affected page.

CVE-2026-34819 endian vulnerability CVSS: 0 02 Apr 2026, 15:16 UTC

Endian Firewall version 3.3.25 and prior allow stored cross-site scripting (XSS) via the REMARK parameter to /cgi-bin/openvpnclient.cgi. An authenticated attacker can inject arbitrary JavaScript that is stored and executed when other users view the affected page.

CVE-2026-34818 endian vulnerability CVSS: 0 02 Apr 2026, 15:16 UTC

Endian Firewall version 3.3.25 and prior allow stored cross-site scripting (XSS) via the remark parameter to /manage/dnsmasq/localdomains/. An authenticated attacker can inject arbitrary JavaScript that is stored and executed when other users view the affected page.

CVE-2026-34817 endian vulnerability CVSS: 0 02 Apr 2026, 15:16 UTC

Endian Firewall version 3.3.25 and prior allow stored cross-site scripting (XSS) via the ADDRESS BCC parameter to /cgi-bin/smtprouting.cgi. An authenticated attacker can inject arbitrary JavaScript that is stored and executed when other users view the affected page.

CVE-2026-34816 endian vulnerability CVSS: 0 02 Apr 2026, 15:16 UTC

Endian Firewall version 3.3.25 and prior allow stored cross-site scripting (XSS) via the domain parameter to /manage/smtpscan/domainrouting/. An authenticated attacker can inject arbitrary JavaScript that is stored and executed when other users view the affected page.

CVE-2026-34815 endian vulnerability CVSS: 0 02 Apr 2026, 15:16 UTC

Endian Firewall version 3.3.25 and prior allow stored cross-site scripting (XSS) via the DOMAIN parameter to /cgi-bin/smtpdomains.cgi. An authenticated attacker can inject arbitrary JavaScript that is stored and executed when other users view the affected page.

CVE-2026-34814 endian vulnerability CVSS: 0 02 Apr 2026, 15:16 UTC

Endian Firewall version 3.3.25 and prior allow stored cross-site scripting (XSS) via the group parameter to /cgi-bin/proxygroup.cgi. An authenticated attacker can inject arbitrary JavaScript that is stored and executed when other users view the affected page.

CVE-2026-34813 endian vulnerability CVSS: 0 02 Apr 2026, 15:16 UTC

Endian Firewall version 3.3.25 and prior allow stored cross-site scripting (XSS) via the user parameter to /cgi-bin/proxyuser.cgi. An authenticated attacker can inject arbitrary JavaScript that is stored and executed when other users view the affected page.

CVE-2026-34812 endian vulnerability CVSS: 0 02 Apr 2026, 15:16 UTC

Endian Firewall version 3.3.25 and prior allow stored cross-site scripting (XSS) via the mimetypes parameter to /cgi-bin/proxypolicy.cgi. An authenticated attacker can inject arbitrary JavaScript that is stored and executed when other users view the affected page.

CVE-2026-34811 endian vulnerability CVSS: 0 02 Apr 2026, 15:16 UTC

Endian Firewall version 3.3.25 and prior allow stored cross-site scripting (XSS) via the remark parameter to /cgi-bin/xtaccess.cgi. An authenticated attacker can inject arbitrary JavaScript that is stored and executed when other users view the affected page.

CVE-2026-34810 endian vulnerability CVSS: 0 02 Apr 2026, 15:16 UTC

Endian Firewall version 3.3.25 and prior allow stored cross-site scripting (XSS) via the remark parameter to /cgi-bin/vpnfw.cgi. An authenticated attacker can inject arbitrary JavaScript that is stored and executed when other users view the affected page.

CVE-2026-34809 endian vulnerability CVSS: 0 02 Apr 2026, 15:16 UTC

Endian Firewall version 3.3.25 and prior allow stored cross-site scripting (XSS) via the remark parameter to /cgi-bin/zonefw.cgi. An authenticated attacker can inject arbitrary JavaScript that is stored and executed when other users view the affected page.

CVE-2026-34808 endian vulnerability CVSS: 0 02 Apr 2026, 15:16 UTC

Endian Firewall version 3.3.25 and prior allow stored cross-site scripting (XSS) via the remark parameter to /cgi-bin/outgoingfw.cgi. An authenticated attacker can inject arbitrary JavaScript that is stored and executed when other users view the affected page.

CVE-2026-34807 endian vulnerability CVSS: 0 02 Apr 2026, 15:16 UTC

Endian Firewall version 3.3.25 and prior allow stored cross-site scripting (XSS) via the remark parameter to /cgi-bin/incoming.cgi. An authenticated attacker can inject arbitrary JavaScript that is stored and executed when other users view the affected page.

CVE-2026-34806 endian vulnerability CVSS: 0 02 Apr 2026, 15:16 UTC

Endian Firewall version 3.3.25 and prior allow stored cross-site scripting (XSS) via the remark parameter to /cgi-bin/snat.cgi. An authenticated attacker can inject arbitrary JavaScript that is stored and executed when other users view the affected page.

CVE-2026-34805 endian vulnerability CVSS: 0 02 Apr 2026, 15:16 UTC

Endian Firewall version 3.3.25 and prior allow stored cross-site scripting (XSS) via the remark parameter to /cgi-bin/dnat.cgi. An authenticated attacker can inject arbitrary JavaScript that is stored and executed when other users view the affected page.

CVE-2026-34804 endian vulnerability CVSS: 0 02 Apr 2026, 15:16 UTC

Endian Firewall version 3.3.25 and prior allow stored cross-site scripting (XSS) via the dscp parameter to /manage/qos/rules/. An authenticated attacker can inject arbitrary JavaScript that is stored and executed when other users view the affected page.

CVE-2026-34803 endian vulnerability CVSS: 0 02 Apr 2026, 15:16 UTC

Endian Firewall version 3.3.25 and prior allow stored cross-site scripting (XSS) via the name parameter to /manage/qos/classes/. An authenticated attacker can inject arbitrary JavaScript that is stored and executed when other users view the affected page.

CVE-2026-34802 endian vulnerability CVSS: 0 02 Apr 2026, 15:16 UTC

Endian Firewall version 3.3.25 and prior allow stored cross-site scripting (XSS) via the remark user ham spam parameter to /cgi-bin/salearn.cgi. An authenticated attacker can inject arbitrary JavaScript that is stored and executed when other users view the affected page.

CVE-2026-34801 endian vulnerability CVSS: 0 02 Apr 2026, 15:16 UTC

Endian Firewall version 3.3.25 and prior allow stored cross-site scripting (XSS) via the remark parameter to /manage/dhcp/fixed_leases/. An authenticated attacker can inject arbitrary JavaScript that is stored and executed when other users view the affected page.

CVE-2026-34800 endian vulnerability CVSS: 0 02 Apr 2026, 15:16 UTC

Endian Firewall version 3.3.25 and prior allow stored cross-site scripting (XSS) via the NAME parameter to /cgi-bin/uplinkeditor.cgi. An authenticated attacker can inject arbitrary JavaScript that is stored and executed when other users view the affected page.

CVE-2026-34799 endian vulnerability CVSS: 0 02 Apr 2026, 15:16 UTC

Endian Firewall version 3.3.25 and prior allow stored cross-site scripting (XSS) via the remark parameter to /manage/dnsmasq/hosts/. An authenticated attacker can inject arbitrary JavaScript that is stored and executed when other users view the affected page.

CVE-2026-34798 endian vulnerability CVSS: 0 02 Apr 2026, 15:16 UTC

Endian Firewall version 3.3.25 and prior allow stored cross-site scripting (XSS) via the remark parameter to /cgi-bin/routing.cgi. An authenticated attacker can inject arbitrary JavaScript that is stored and executed when other users view the affected page.

CVE-2026-34797 endian vulnerability CVSS: 0 02 Apr 2026, 15:16 UTC

Endian Firewall version 3.3.25 and prior allow authenticated users to execute arbitrary OS commands via the DATE parameter to /cgi-bin/logs_smtp.cgi. The DATE parameter value is used to construct a file path that is passed to a Perl open() call, which allows command injection due to an incomplete regular expression validation.

CVE-2026-34796 endian vulnerability CVSS: 0 02 Apr 2026, 15:16 UTC

Endian Firewall version 3.3.25 and prior allow authenticated users to execute arbitrary OS commands via the DATE parameter to /cgi-bin/logs_openvpn.cgi. The DATE parameter value is used to construct a file path that is passed to a Perl open() call, which allows command injection due to an incomplete regular expression validation.

CVE-2026-34795 endian vulnerability CVSS: 0 02 Apr 2026, 15:16 UTC

Endian Firewall version 3.3.25 and prior allow authenticated users to execute arbitrary OS commands via the DATE parameter to /cgi-bin/logs_log.cgi. The DATE parameter value is used to construct a file path that is passed to a Perl open() call, which allows command injection due to an incomplete regular expression validation.

CVE-2026-34794 endian vulnerability CVSS: 0 02 Apr 2026, 15:16 UTC

Endian Firewall version 3.3.25 and prior allow authenticated users to execute arbitrary OS commands via the DATE parameter to /cgi-bin/logs_ids.cgi. The DATE parameter value is used to construct a file path that is passed to a Perl open() call, which allows command injection due to an incomplete regular expression validation.

CVE-2026-34793 endian vulnerability CVSS: 0 02 Apr 2026, 15:16 UTC

Endian Firewall version 3.3.25 and prior allow authenticated users to execute arbitrary OS commands via the DATE parameter to /cgi-bin/logs_firewall.cgi. The DATE parameter value is used to construct a file path that is passed to a Perl open() call, which allows command injection due to an incomplete regular expression validation.

CVE-2026-34792 endian vulnerability CVSS: 0 02 Apr 2026, 15:16 UTC

Endian Firewall version 3.3.25 and prior allow authenticated users to execute arbitrary OS commands via the DATE parameter to /cgi-bin/logs_clamav.cgi. The DATE parameter value is used to construct a file path that is passed to a Perl open() call, which allows command injection due to an incomplete regular expression validation.

CVE-2026-34791 endian vulnerability CVSS: 0 02 Apr 2026, 15:16 UTC

Endian Firewall version 3.3.25 and prior allow authenticated users to execute arbitrary OS commands via the DATE parameter to /cgi-bin/logs_proxy.cgi. The DATE parameter value is used to construct a file path that is passed to a Perl open() call, which allows command injection due to an incomplete regular expression validation.

CVE-2026-34790 endian vulnerability CVSS: 0 02 Apr 2026, 15:16 UTC

Endian Firewall version 3.3.25 and prior allow authenticated users to delete arbitrary files via directory traversal in the remove ARCHIVE parameter to /cgi-bin/backup.cgi. The remove ARCHIVE parameter value is used to construct a file path without sanitization of directory traversal sequences, which is then passed to an unlink() call.

CVE-2021-27201 endian vulnerability CVSS: 6.5 15 Feb 2021, 19:15 UTC

Endian Firewall Community (aka EFW) 3.3.2 allows remote authenticated users to execute arbitrary OS commands via shell metacharacters in a backup comment.

CVE-2012-4923 endian vulnerability CVSS: 4.3 15 Sep 2012, 17:55 UTC

Multiple cross-site scripting (XSS) vulnerabilities in Endian Firewall 2.4 allow remote attackers to inject arbitrary web script or HTML via the (1) createrule parameter to dnat.cgi, (2) addrule parameter to dansguardian.cgi, or (3) PATH_INFO to openvpn_users.cgi.

CVE-2008-0494 endian vulnerability CVSS: 4.3 30 Jan 2008, 22:00 UTC

Cross-site scripting (XSS) vulnerability in vpnum/userslist.php in Endian Firewall 2.1.2 allows remote attackers to inject arbitrary web script or HTML via the psearch parameter. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.