← Back

CVE-2026-26352

nvd nist
Published: Mar 30, 2026Modified: Apr 14, 2026

JSON object

Loading...
5.1
Vector
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Show more
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:XShow less
Source: disclosure@vulncheck.com (Secondary)

Description

Smoothwall Express versions prior to 3.1 Update 13 contain a stored cross-site scripting vulnerability in the /cgi-bin/vpnmain.cgi script due to improper sanitation of the VPN_IP parameter. Authenticated attackers can inject arbitrary JavaScript through VPN configuration settings that executes when the affected page is viewed by other users.

Affected (13)

Smoothwall
1 product
Smoothwall Express
Configuration A
13 vulnerable
Vulnerable SoftwareAffected Versions
Smoothwall
Smoothwall Express
Up to 3.0
Smoothwall Express
Version 3.1 update10
Smoothwall Express
Version 3.1 update11
Smoothwall Express
Version 3.1 update12
Smoothwall Express
Version 3.1 update1
Smoothwall Express
Version 3.1 update2
Smoothwall Express
Version 3.1 update3
Smoothwall Express
Version 3.1 update4
Smoothwall Express
Version 3.1 update5
Smoothwall Express
Version 3.1 update6
Smoothwall Express
Version 3.1 update7
Smoothwall Express
Version 3.1 update8
Smoothwall Express
Version 3.1 update9

Related CWEs

CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

References (2)

Source: disclosure@vulncheck.com
Release NotesProduct
Source: disclosure@vulncheck.com
Third Party Advisory

Timeline

No history available yet.