Primary

Context

Smoothwall Express Stored Cross-Site Scripting Vulnerability in VPN Configuration

Vulnerability

Patched

A stored cross-site scripting vulnerability has been identified in Smoothwall Express versions prior to 3.1 Update 13. The issue resides in the /cgi-bin/vpnmain.cgi script, where improper sanitation of the VPN_IP parameter allows authenticated attackers to inject arbitrary JavaScript. This injected script executes when the affected page is viewed by other users.

Impact

Exploitation of this vulnerability allows for stored cross-site scripting, where injected scripts are executed in the context of the user viewing the affected page.

Remediation

Users can update to Smoothwall Express 3.1 Update 13 or later, which addresses this vulnerability by improving input sanitation in the VPN management interface.

Added: Mar 30, 2026, 5:25 PM

Updated: Mar 30, 2026, 5:25 PM

Vulnerability Rating

Custom Algorithm

spread

2.6

impact

1.7

exploitability

3.2

remediation

7.7

relevance

4.9

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

2.6

impact

1.7

exploitability

3.2

remediation

7.7

relevance

4.9

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Smoothwall Express Stored Cross-Site Scripting Vulnerability in VPN Configuration

Vulnerability

Impact

Remediation

Affected Products

Smoothwall Express

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating