{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-26352", "assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "state": "PUBLISHED", "assignerShortName": "VulnCheck", "dateReserved": "2026-02-13T17:28:43.057Z", "datePublished": "2026-03-30T16:49:16.761Z", "dateUpdated": "2026-03-30T18:09:05.294Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "shortName": "VulnCheck", "dateUpdated": "2026-03-30T16:50:41.422Z"}, "title": "Smoothwall Express < 3.1 Update 13 Stored XSS in vpnmain.cgi via VPN_IP Parameter", "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-79", "description": "CWE-79 Improper neutralization of input during web page generation ('cross-site scripting')", "type": "CWE"}]}], "affected": [{"vendor": "Smoothwall", "product": "Express", "repo": "https://sourceforge.net/projects/smoothwall/", "versions": [{"status": "affected", "version": "0", "lessThanOrEqual": "3.1 Update 13", "versionType": "custom"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "Smoothwall Express versions prior to 3.1 Update 13 contain a stored cross-site scripting vulnerability in the /cgi-bin/vpnmain.cgi script due to improper sanitation of the VPN_IP parameter. Authenticated attackers can inject arbitrary JavaScript through VPN configuration settings that executes when the affected page is viewed by other users.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "Smoothwall Express versions prior to 3.1 Update 13 contain a stored cross-site scripting vulnerability in the /cgi-bin/vpnmain.cgi script due to improper sanitation of the VPN_IP parameter. Authenticated attackers can inject arbitrary JavaScript through VPN configuration settings that executes when the affected page is viewed by other users."}]}], "references": [{"url": "https://community.smoothwall.org/forum/viewtopic.php?t=45095", "tags": ["vendor-advisory", "patch"]}, {"url": "https://www.vulncheck.com/advisories/smoothwall-express-stored-xss-in-vpnmain-cgi-via-vpn-ip-parameter", "tags": ["third-party-advisory"]}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "PASSIVE", "vulnConfidentialityImpact": "NONE", "subConfidentialityImpact": "LOW", "vulnIntegrityImpact": "NONE", "subIntegrityImpact": "LOW", "vulnAvailabilityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "version": "4.0", "baseSeverity": "MEDIUM", "baseScore": 5.1, "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N"}}, {"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV3_1": {"version": "3.1", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE", "baseSeverity": "MEDIUM", "baseScore": 5.4, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"}}], "credits": [{"lang": "en", "value": "Alex Williams from Pellera Technologies", "type": "finder"}, {"lang": "en", "value": "VulnCheck", "type": "coordinator"}], "source": {"discovery": "EXTERNAL"}, "x_generator": {"engine": "Vulnogram 1.0.0"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-30T18:08:28.119085Z", "id": "CVE-2026-26352", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-30T18:09:05.294Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-26352", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-30T18:08:28.119085Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-30T18:08:53.779Z"}}], "cna": {"title": "Smoothwall Express < 3.1 Update 13 Stored XSS in vpnmain.cgi via VPN_IP Parameter", "source": {"discovery": "EXTERNAL"}, "credits": [{"lang": "en", "type": "finder", "value": "Alex Williams from Pellera Technologies"}, {"lang": "en", "type": "coordinator", "value": "VulnCheck"}], "metrics": [{"format": "CVSS", "cvssV4_0": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 5.1, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "PASSIVE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "subIntegrityImpact": "LOW", "vulnIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "LOW", "vulnConfidentialityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}, {"format": "CVSS", "cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 5.4, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"repo": "https://sourceforge.net/projects/smoothwall/", "vendor": "Smoothwall", "product": "Express", "versions": [{"status": "affected", "version": "0", "versionType": "custom", "lessThanOrEqual": "3.1 Update 13"}], "defaultStatus": "unaffected"}], "references": [{"url": "https://community.smoothwall.org/forum/viewtopic.php?t=45095", "tags": ["vendor-advisory", "patch"]}, {"url": "https://www.vulncheck.com/advisories/smoothwall-express-stored-xss-in-vpnmain-cgi-via-vpn-ip-parameter", "tags": ["third-party-advisory"]}], "x_generator": {"engine": "Vulnogram 1.0.0"}, "descriptions": [{"lang": "en", "value": "Smoothwall Express versions prior to 3.1 Update 13 contain a stored cross-site scripting vulnerability in the /cgi-bin/vpnmain.cgi script due to improper sanitation of the VPN_IP parameter. Authenticated attackers can inject arbitrary JavaScript through VPN configuration settings that executes when the affected page is viewed by other users.", "supportingMedia": [{"type": "text/html", "value": "Smoothwall Express versions prior to 3.1 Update 13 contain a stored cross-site scripting vulnerability in the /cgi-bin/vpnmain.cgi script due to improper sanitation of the VPN_IP parameter. Authenticated attackers can inject arbitrary JavaScript through VPN configuration settings that executes when the affected page is viewed by other users.", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79 Improper neutralization of input during web page generation ('cross-site scripting')"}]}], "providerMetadata": {"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "shortName": "VulnCheck", "dateUpdated": "2026-03-30T16:50:41.422Z"}}}, "cveMetadata": {"cveId": "CVE-2026-26352", "state": "PUBLISHED", "dateUpdated": "2026-03-30T18:09:05.294Z", "dateReserved": "2026-02-13T17:28:43.057Z", "assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "datePublished": "2026-03-30T16:49:16.761Z", "assignerShortName": "VulnCheck"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:smoothwall:smoothwall_express:*:*:*:*:*:*:*:*", "matchCriteriaId": "F0BC090B-12A9-4A0E-9BD2-EFA56B569432", "versionEndIncluding": "3.0", "vulnerable": true}, {"criteria": "cpe:2.3:o:smoothwall:smoothwall_express:3.1:update1:*:*:-:*:*:*", "matchCriteriaId": "714B3296-7323-4920-8832-827C697ABED8", "vulnerable": true}, {"criteria": "cpe:2.3:o:smoothwall:smoothwall_express:3.1:update10:*:*:-:*:*:*", "matchCriteriaId": "07EF8E3A-93A2-4A5A-A077-B692D7B4D92F", "vulnerable": true}, {"criteria": "cpe:2.3:o:smoothwall:smoothwall_express:3.1:update11:*:*:-:*:*:*", "matchCriteriaId": "2B3D4296-EE7C-46FD-A734-419DC0BDFB7A", "vulnerable": true}, {"criteria": "cpe:2.3:o:smoothwall:smoothwall_express:3.1:update12:*:*:-:*:*:*", "matchCriteriaId": "230A2DC9-DE28-4D18-99B8-0567CE99969C", "vulnerable": true}, {"criteria": "cpe:2.3:o:smoothwall:smoothwall_express:3.1:update2:*:*:-:*:*:*", "matchCriteriaId": "5F0EED85-4850-4303-9529-E45868061C90", "vulnerable": true}, {"criteria": "cpe:2.3:o:smoothwall:smoothwall_express:3.1:update3:*:*:-:*:*:*", "matchCriteriaId": "0A0D511A-9CBB-4586-BF80-AAC12101B9E4", "vulnerable": true}, {"criteria": "cpe:2.3:o:smoothwall:smoothwall_express:3.1:update4:*:*:-:*:*:*", "matchCriteriaId": "2999F419-BAF9-4660-8983-BB5A8374450E", "vulnerable": true}, {"criteria": "cpe:2.3:o:smoothwall:smoothwall_express:3.1:update5:*:*:-:*:*:*", "matchCriteriaId": "83811BB5-B833-4594-823D-C47CB8499DD0", "vulnerable": true}, {"criteria": "cpe:2.3:o:smoothwall:smoothwall_express:3.1:update6:*:*:-:*:*:*", "matchCriteriaId": "E2A35B5F-2BFD-43D2-B0AC-EFCA7A5A8E2C", "vulnerable": true}, {"criteria": "cpe:2.3:o:smoothwall:smoothwall_express:3.1:update7:*:*:-:*:*:*", "matchCriteriaId": "60C265FF-2CB3-4A44-9017-451D06E2CBE4", "vulnerable": true}, {"criteria": "cpe:2.3:o:smoothwall:smoothwall_express:3.1:update8:*:*:-:*:*:*", "matchCriteriaId": "E5DB05A8-F012-4258-82B9-B42884F88722", "vulnerable": true}, {"criteria": "cpe:2.3:o:smoothwall:smoothwall_express:3.1:update9:*:*:-:*:*:*", "matchCriteriaId": "D5EF08B4-276D-4EE1-A079-3A2E61FED713", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Smoothwall Express versions prior to 3.1 Update 13 contain a stored cross-site scripting vulnerability in the /cgi-bin/vpnmain.cgi script due to improper sanitation of the VPN_IP parameter. Authenticated attackers can inject arbitrary JavaScript through VPN configuration settings that executes when the affected page is viewed by other users."}, {"lang": "es", "value": "Smoothwall Express versiones anteriores a 3.1 Update 13 contienen una vulnerabilidad de cross-site scripting almacenado en el script /cgi-bin/vpnmain.cgi debido a una sanitizaci\u00f3n inadecuada del par\u00e1metro VPN_IP. Atacantes autenticados pueden inyectar JavaScript arbitrario a trav\u00e9s de la configuraci\u00f3n de VPN que se ejecuta cuando la p\u00e1gina afectada es vista por otros usuarios."}], "id": "CVE-2026-26352", "lastModified": "2026-04-14T16:34:30.427", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.3, "impactScore": 2.7, "source": "disclosure@vulncheck.com", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 5.1, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "LOW", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "LOW", "subIntegrityImpact": "LOW", "userInteraction": "PASSIVE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "disclosure@vulncheck.com", "type": "Secondary"}]}, "published": "2026-03-30T17:16:14.363", "references": [{"source": "disclosure@vulncheck.com", "tags": ["Release Notes", "Product"], "url": "https://community.smoothwall.org/forum/viewtopic.php?t=45095"}, {"source": "disclosure@vulncheck.com", "tags": ["Third Party Advisory"], "url": "https://www.vulncheck.com/advisories/smoothwall-express-stored-xss-in-vpnmain-cgi-via-vpn-ip-parameter"}], "sourceIdentifier": "disclosure@vulncheck.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "disclosure@vulncheck.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,3.1 Update 13]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "Express", "source": "cna", "vendor": "Smoothwall"}, "product": "express", "vendor": "smoothwall"}], "analysis": {"en": {"generated_at": "2026-04-14T17:27:51.867820+00:00", "value": {"mitigation_remediation": ["Upgrade to Smoothwall Express 3.1 Update\u202f13 or a newer version.", "Restrict access to the VPN configuration interface so that only privileged users can edit the VPN_IP parameter.", "If an immediate update is not possible, block or remove the vulnerable /cgi\u2011bin/vpnmain.cgi script from the production environment."], "summary": {"action": "Apply Patch", "impact": "Stored Cross\u2011Site Scripting (XSS)"}, "threat_synthesis": {"affected_systems": "The vulnerability affects all Smoothwall\u202fExpress builds with a version number less than 3.1 Update\u202f13, including releases 3.1 Update\u202f0 through Update\u202f12 and any older pre\u20113.1 versions. System administrators should confirm the exact build in use and plan an update.", "description_and_impact": "Smoothwall Express versions prior to 3.1 Update 13 contain a stored cross\u2011site scripting flaw in the /cgi\u2011bin/vpnmain.cgi script. The VPN_IP parameter is not properly sanitized, which allows an authenticated user to inject arbitrary JavaScript into VPN configuration settings. When other users view the affected page, the malicious script executes within their browsers, potentially exposing credentials or session data.", "risk_and_exploitability": "The flaw has a CVSS base score of 5.1, indicating moderate risk. The EPSS score is below 1\u202f%, implying a low probability of exploitation. It is not listed in the CISA KEV catalog. An attacker must first authenticate to the management interface and possess permissions to modify VPN settings in order to inject malicious code; thus the threat requires insider or compromised\u2011user access rather than remote exploitation. Nonetheless, the stored XSS can lead to credential theft and session hijacking for other users viewing the vulnerable page."}}}}, "created": "2026-03-30T20:55:30.018790+00:00", "updated": "2026-04-15T16:45:09.791941+00:00", "vendors": ["smoothwall", "smoothwall$PRODUCT$express"]}