CVE-2019-25378

Smoothwall Express 3.1-SP4-polar-x86_64-update9 contains multiple cross-site scripting vulnerabilities in the proxy.cgi endpoint that allow attackers to inject malicious scripts through parameters including CACHE_SIZE, MAX_SIZE, MIN_SIZE, MAX_OUTGOING_SIZE, and MAX_INCOMING_SIZE. Attackers can submit POST requests with script payloads to store or reflect arbitrary JavaScript code that executes in users' browsers when the proxy configuration page is accessed.

CVSS v3 6.1 MEDIUM

6.1^/10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 2.8 / Impact : 2.7

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction REQUIRED

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact NONE

Scope CHANGED

References

Link	Resource
http://www.smoothwall.org	Product
https://www.exploit-db.com/exploits/46333	Exploit Third Party Advisory VDB Entry
https://www.vulncheck.com/advisories/smoothwall-express-proxycgi-cross-site-scripting	Broken Link

Configurations

Configuration 1 (hide)

cpe:2.3:o:smoothwall:smoothwall_express:3.1:sp4:*:*:-:*:*:*

History

20 Feb 2026, 21:23

Type	Values Removed	Values Added
CPE	cpe:2.3:o:smoothwall:smoothwall_express:3.1:::::::*	cpe:2.3:o:smoothwall:smoothwall_express:3.1:sp4:::-:::*

18 Feb 2026, 20:17

Type	Values Removed	Values Added
First Time		Smoothwall smoothwall Express Smoothwall
References	~~() http://www.smoothwall.org -~~	() http://www.smoothwall.org - Product
References	~~() https://www.exploit-db.com/exploits/46333 -~~	() https://www.exploit-db.com/exploits/46333 - Exploit, Third Party Advisory, VDB Entry
References	~~() https://www.vulncheck.com/advisories/smoothwall-express-proxycgi-cross-site-scripting -~~	() https://www.vulncheck.com/advisories/smoothwall-express-proxycgi-cross-site-scripting - Broken Link
CPE		cpe:2.3:o:smoothwall:smoothwall_express:3.1:::::::*

18 Feb 2026, 17:52

Type	Values Removed	Values Added
Summary		(es) Smoothwall Express 3.1-SP4-polar-x86_64-update9 contiene múltiples vulnerabilidades de cross-site scripting en el endpoint proxy.cgi que permiten a los atacantes inyectar scripts maliciosos a través de parámetros que incluyen CACHE_SIZE, MAX_SIZE, MIN_SIZE, MAX_OUTGOING_SIZE y MAX_INCOMING_SIZE. Los atacantes pueden enviar solicitudes POST con cargas útiles de script para almacenar o reflejar código JavaScript arbitrario que se ejecuta en los navegadores de los usuarios cuando se accede a la página de configuración del proxy.

16 Feb 2026, 18:19

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-02-16 18:19

Updated : 2026-02-20 21:23

NVD link : CVE-2019-25378

Mitre link : CVE-2019-25378

CVE.ORG link : CVE-2019-25378

JSON object : View

Products Affected

smoothwall

smoothwall_express

CWE

CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

6.1 /10