Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
5.1
Smoothwall Express: Malicious Code Injection Through Web Request
CVE-2019-25393
Summary
Attackers can inject malicious scripts into Smoothwall Express 3.1-SP4-polar-x86_64-update9 by sending a specially crafted web request, potentially allowing them to take control of user sessions or steal sensitive information. This vulnerability can be exploited without requiring a login, making it a concern for public-facing Smoothwall Express installations. Users should update to a patched version as soon as possible.
What to do
No fix is available yet. Check with your software vendor for updates.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| smoothwall | smoothwall_express | 3.1 | – |
Original title
Smoothwall Express 3.1-SP4-polar-x86_64-update9 contains a reflected cross-site scripting vulnerability that allows unauthenticated attackers to inject malicious scripts by exploiting insufficient ...
Original description
Smoothwall Express 3.1-SP4-polar-x86_64-update9 contains a reflected cross-site scripting vulnerability that allows unauthenticated attackers to inject malicious scripts by exploiting insufficient input validation. Attackers can submit POST requests to the smoothinfo.cgi endpoint with script payloads in the WRAP or SECTIONTITLE parameters to execute arbitrary JavaScript in victim browsers.
nvd CVSS3.1
6.1
nvd CVSS4.0
5.1
Vulnerability type
CWE-79
Cross-site Scripting (XSS)
- http://www.smoothwall.org Product
- https://www.exploit-db.com/exploits/46333 Exploit Third Party Advisory VDB Entry
- https://www.vulncheck.com/advisories/smoothwall-express-smoothinfocgi-cross-site... Broken Link
Published: 16 Feb 2026 · Updated: 11 Mar 2026 · First seen: 6 Mar 2026