{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-27508", "assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "state": "PUBLISHED", "assignerShortName": "VulnCheck", "dateReserved": "2026-02-19T19:51:07.327Z", "datePublished": "2026-03-30T16:51:50.165Z", "dateUpdated": "2026-03-31T18:05:32.880Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "shortName": "VulnCheck", "dateUpdated": "2026-03-30T16:51:50.165Z"}, "title": "Smoothwall Express < 3.1 Update 13 Reflected XSS in redirect.cgi via url Parameter", "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-79", "description": "CWE-79 Improper neutralization of input during web page generation ('cross-site scripting')", "type": "CWE"}]}], "affected": [{"vendor": "Smoothwall", "product": "Express", "versions": [{"status": "affected", "version": "0", "lessThanOrEqual": "3.1 Update 13", "versionType": "custom"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "Smoothwall Express versions prior to 3.1 Update 13 contain a reflected cross-site scripting vulnerability in the /redirect.cgi endpoint due to improper sanitation of the url parameter. Attackers can craft malicious URLs with javascript: schemes that execute arbitrary JavaScript in victims' browsers when clicked through the unsanitized link.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "Smoothwall Express versions prior to 3.1 Update 13 contain a reflected cross-site scripting vulnerability in the /redirect.cgi endpoint due to improper sanitation of the url parameter. Attackers can craft malicious URLs with javascript: schemes that execute arbitrary JavaScript in victims' browsers when clicked through the unsanitized link."}]}], "references": [{"url": "https://community.smoothwall.org/forum/viewtopic.php?t=45095", "tags": ["vendor-advisory", "patch"]}, {"url": "https://www.vulncheck.com/advisories/smoothwall-express-reflected-xss-in-redirect-cgi-via-url-parameter", "tags": ["third-party-advisory"]}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "ACTIVE", "vulnConfidentialityImpact": "NONE", "subConfidentialityImpact": "LOW", "vulnIntegrityImpact": "NONE", "subIntegrityImpact": "LOW", "vulnAvailabilityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "version": "4.0", "baseSeverity": "MEDIUM", "baseScore": 5.1, "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N"}}, {"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV3_1": {"version": "3.1", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE", "baseSeverity": "MEDIUM", "baseScore": 5.4, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N"}}], "credits": [{"lang": "en", "value": "Alex Williams from Pellera Technologies", "type": "finder"}, {"lang": "en", "value": "VulnCheck", "type": "coordinator"}], "source": {"discovery": "EXTERNAL"}, "x_generator": {"engine": "Vulnogram 1.0.0"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-31T17:51:51.058978Z", "id": "CVE-2026-27508", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-31T18:05:32.880Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-27508", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-31T17:51:51.058978Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-31T17:51:54.480Z"}}], "cna": {"title": "Smoothwall Express < 3.1 Update 13 Reflected XSS in redirect.cgi via url Parameter", "source": {"discovery": "EXTERNAL"}, "credits": [{"lang": "en", "type": "finder", "value": "Alex Williams from Pellera Technologies"}, {"lang": "en", "type": "coordinator", "value": "VulnCheck"}], "metrics": [{"format": "CVSS", "cvssV4_0": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 5.1, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "ACTIVE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "LOW", "vulnIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "LOW", "vulnConfidentialityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}, {"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.4, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Smoothwall", "product": "Express", "versions": [{"status": "affected", "version": "0", "versionType": "custom", "lessThanOrEqual": "3.1 Update 13"}], "defaultStatus": "unaffected"}], "references": [{"url": "https://community.smoothwall.org/forum/viewtopic.php?t=45095", "tags": ["vendor-advisory", "patch"]}, {"url": "https://www.vulncheck.com/advisories/smoothwall-express-reflected-xss-in-redirect-cgi-via-url-parameter", "tags": ["third-party-advisory"]}], "x_generator": {"engine": "Vulnogram 1.0.0"}, "descriptions": [{"lang": "en", "value": "Smoothwall Express versions prior to 3.1 Update 13 contain a reflected cross-site scripting vulnerability in the /redirect.cgi endpoint due to improper sanitation of the url parameter. Attackers can craft malicious URLs with javascript: schemes that execute arbitrary JavaScript in victims' browsers when clicked through the unsanitized link.", "supportingMedia": [{"type": "text/html", "value": "Smoothwall Express versions prior to 3.1 Update 13 contain a reflected cross-site scripting vulnerability in the /redirect.cgi endpoint due to improper sanitation of the url parameter. Attackers can craft malicious URLs with javascript: schemes that execute arbitrary JavaScript in victims' browsers when clicked through the unsanitized link.", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79 Improper neutralization of input during web page generation ('cross-site scripting')"}]}], "providerMetadata": {"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "shortName": "VulnCheck", "dateUpdated": "2026-03-30T16:51:50.165Z"}}}, "cveMetadata": {"cveId": "CVE-2026-27508", "state": "PUBLISHED", "dateUpdated": "2026-03-31T18:05:32.880Z", "dateReserved": "2026-02-19T19:51:07.327Z", "assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "datePublished": "2026-03-30T16:51:50.165Z", "assignerShortName": "VulnCheck"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:smoothwall:smoothwall_express:*:*:*:*:*:*:*:*", "matchCriteriaId": "F0BC090B-12A9-4A0E-9BD2-EFA56B569432", "versionEndIncluding": "3.0", "vulnerable": true}, {"criteria": "cpe:2.3:o:smoothwall:smoothwall_express:3.1:update1:*:*:-:*:*:*", "matchCriteriaId": "714B3296-7323-4920-8832-827C697ABED8", "vulnerable": true}, {"criteria": "cpe:2.3:o:smoothwall:smoothwall_express:3.1:update10:*:*:-:*:*:*", "matchCriteriaId": "07EF8E3A-93A2-4A5A-A077-B692D7B4D92F", "vulnerable": true}, {"criteria": "cpe:2.3:o:smoothwall:smoothwall_express:3.1:update11:*:*:-:*:*:*", "matchCriteriaId": "2B3D4296-EE7C-46FD-A734-419DC0BDFB7A", "vulnerable": true}, {"criteria": "cpe:2.3:o:smoothwall:smoothwall_express:3.1:update12:*:*:-:*:*:*", "matchCriteriaId": "230A2DC9-DE28-4D18-99B8-0567CE99969C", "vulnerable": true}, {"criteria": "cpe:2.3:o:smoothwall:smoothwall_express:3.1:update2:*:*:-:*:*:*", "matchCriteriaId": "5F0EED85-4850-4303-9529-E45868061C90", "vulnerable": true}, {"criteria": "cpe:2.3:o:smoothwall:smoothwall_express:3.1:update3:*:*:-:*:*:*", "matchCriteriaId": "0A0D511A-9CBB-4586-BF80-AAC12101B9E4", "vulnerable": true}, {"criteria": "cpe:2.3:o:smoothwall:smoothwall_express:3.1:update4:*:*:-:*:*:*", "matchCriteriaId": "2999F419-BAF9-4660-8983-BB5A8374450E", "vulnerable": true}, {"criteria": "cpe:2.3:o:smoothwall:smoothwall_express:3.1:update5:*:*:-:*:*:*", "matchCriteriaId": "83811BB5-B833-4594-823D-C47CB8499DD0", "vulnerable": true}, {"criteria": "cpe:2.3:o:smoothwall:smoothwall_express:3.1:update6:*:*:-:*:*:*", "matchCriteriaId": "E2A35B5F-2BFD-43D2-B0AC-EFCA7A5A8E2C", "vulnerable": true}, {"criteria": "cpe:2.3:o:smoothwall:smoothwall_express:3.1:update7:*:*:-:*:*:*", "matchCriteriaId": "60C265FF-2CB3-4A44-9017-451D06E2CBE4", "vulnerable": true}, {"criteria": "cpe:2.3:o:smoothwall:smoothwall_express:3.1:update8:*:*:-:*:*:*", "matchCriteriaId": "E5DB05A8-F012-4258-82B9-B42884F88722", "vulnerable": true}, {"criteria": "cpe:2.3:o:smoothwall:smoothwall_express:3.1:update9:*:*:-:*:*:*", "matchCriteriaId": "D5EF08B4-276D-4EE1-A079-3A2E61FED713", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Smoothwall Express versions prior to 3.1 Update 13 contain a reflected cross-site scripting vulnerability in the /redirect.cgi endpoint due to improper sanitation of the url parameter. Attackers can craft malicious URLs with javascript: schemes that execute arbitrary JavaScript in victims' browsers when clicked through the unsanitized link."}, {"lang": "es", "value": "Las versiones de Smoothwall Express anteriores a 3.1 Update 13 contienen una vulnerabilidad de cross-site scripting reflejado en el endpoint /redirect.cgi debido a una sanitizaci\u00f3n inadecuada del par\u00e1metro url. Los atacantes pueden crear URLs maliciosas con esquemas javascript: que ejecutan JavaScript arbitrario en los navegadores de las v\u00edctimas cuando se hace clic en el enlace no sanitizado."}], "id": "CVE-2026-27508", "lastModified": "2026-04-14T16:32:57.800", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.5, "source": "disclosure@vulncheck.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.7, "source": "nvd@nist.gov", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 5.1, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "LOW", "subIntegrityImpact": "LOW", "userInteraction": "ACTIVE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "disclosure@vulncheck.com", "type": "Secondary"}]}, "published": "2026-03-30T17:16:15.440", "references": [{"source": "disclosure@vulncheck.com", "tags": ["Product", "Release Notes"], "url": "https://community.smoothwall.org/forum/viewtopic.php?t=45095"}, {"source": "disclosure@vulncheck.com", "tags": ["Third Party Advisory"], "url": "https://www.vulncheck.com/advisories/smoothwall-express-reflected-xss-in-redirect-cgi-via-url-parameter"}], "sourceIdentifier": "disclosure@vulncheck.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "disclosure@vulncheck.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,3.1 Update 13]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "Express", "source": "cna", "vendor": "Smoothwall"}, "product": "express", "vendor": "smoothwall"}], "analysis": {"en": {"generated_at": "2026-04-14T17:27:37.010266+00:00", "value": {"mitigation_remediation": ["Upgrade Smoothwall Express to 3.1 Update 13 or later to remove the unsanitized url handling in redirect.cgi", "Verify that the redirect.cgi endpoint no longer accepts javascript: schemes in its url parameter", "If the redirect functionality is not required, consider disabling the /redirect.cgi endpoint to reduce attack surface", "Monitor for unexpected or malicious link usage and apply additional filtering or logging as a temporary safeguard"], "summary": {"action": "Patch", "impact": "Cross\u2011site scripting via unsanitized url parameter in /redirect.cgi"}, "threat_synthesis": {"affected_systems": "All Smoothwall Express deployments running any version before the 3.1 Update 13 release are vulnerable, including updates 1 through 12 of the 3.1 release line. The vulnerability does not affect later updates beyond 3.1 Update 13 or subsequent major releases.", "description_and_impact": "Smoothwall Express versions before 3.1 Update 13 suffer from a reflected cross\u2011site scripting flaw in the /redirect.cgi, where the url parameter is not properly sanitized. This flaw allows attackers to embed malicious javascript: schemes into the link which, when a user clicks the link, execute arbitrary JavaScript in the victim\u2019s browser, potentially compromising user sessions and confidential data. The weakness is identified as CWE\u201179.", "risk_and_exploitability": "The CVSS score of 5.1 indicates medium severity. The EPSS score of less than 1% suggests the likelihood of exploitation on any given day is low, and the vulnerability is not listed in CISA\u2019s Known Exploited Vulnerabilities catalog. Attackers can craft malicious links without authentication, so the primary attack vector is via browser exploitation when users click crafted URLs."}}}}, "created": "2026-03-30T20:55:29.110867+00:00", "updated": "2026-04-15T16:45:09.791249+00:00", "vendors": ["smoothwall", "smoothwall$PRODUCT$express"]}