Vulnerability Details CVE-2026-34790
Endian Firewall version 3.3.25 and prior allow authenticated users to delete arbitrary files via directory traversal in the remove ARCHIVE parameter to /cgi-bin/backup.cgi. The remove ARCHIVE parameter value is used to construct a file path without sanitization of directory traversal sequences, which is then passed to an unlink() call.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.003
EPSS Ranking 56.8%
CVSS Severity
CVSS v3 Score 7.1
References
Products affected by CVE-2026-34790
-
cpe:2.3:a:endian:firewall_community:3.3.2