Description
Unrestricted Upload of File with Dangerous Type vulnerability allows Remote Code Execution via file upload. This issue affects Pandora FMS: from 777 through 800
Published: 2026-04-13
Score: 8.6 High
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Immediate Patch
AI Analysis

Impact

The vulnerability is an Unrestricted File Upload that allows the upload of files with dangerous types, resulting in the ability for an attacker to execute arbitrary code on the affected system. It is classified as a type of input validation weakness. The flaw could let a malicious user upload a script or application binary that the system later executes, giving full control over the impacted server.

Affected Systems

Pandora FMS is vulnerable in all releases from 777 up through 800. These include the core monitoring and management components distributed under the Pandora FMS brand.

Risk and Exploitability

The CVSS score of 8.6 reflects high severity with a high likelihood of exploitation if an attacker can reach the upload interface. The EPSS score is unavailable, but the vulnerability is not listed in the CISA KEV catalog. Because the flaw involves unrestricted file upload through a web interface, the likely attack vector is via a web-based upload endpoint that accepts arbitrary files without proper type validation.

Generated by OpenCVE AI on April 13, 2026 at 18:39 UTC.

Remediation

Vendor Solution

Fixed in v800.1 and v801 Pandora FMS versions

OpenCVE Recommended Actions

  • Upgrade Pandora FMS to version 800.1 or 801 to apply the vendor‑provided fix.

Generated by OpenCVE AI on April 13, 2026 at 18:39 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 22 Apr 2026 14:45:00 +0000

Type Values Removed Values Added
First Time appeared Artica
Artica pandora Fms
CPEs cpe:2.3:a:artica:pandora_fms:*:*:*:*:*:*:*:*
Vendors & Products Artica
Artica pandora Fms
Metrics cvssV3_1

{'score': 7.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H'}

Tue, 14 Apr 2026 16:30:00 +0000

Type Values Removed Values Added
First Time appeared Pandora Fms
Pandora Fms pandora Fms
Vendors & Products Pandora Fms
Pandora Fms pandora Fms

Mon, 13 Apr 2026 20:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 13 Apr 2026 16:15:00 +0000

Type Values Removed Values Added
Description Unrestricted Upload of File with Dangerous Type vulnerability allows Remote Code Execution via file upload. This issue affects Pandora FMS: from 777 through 800
Title Unrestricted File Upload in Extension Uploader leads to Remote Code Execution
Weaknesses CWE-434
References
Metrics cvssV4_0

{'score': 8.6, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:L/SC:L/SI:L/SA:L/S:N/AU:Y/R:U/V:C/RE:M/U:Amber'}

Subscriptions

Artica Pandora Fms
Pandora Fms Pandora Fms
cve-icon MITRE

Status: PUBLISHED

Assigner: PandoraFMS

Published:

Updated: 2026-04-13T19:23:05.754Z

Reserved: 2026-03-05T16:16:01.150Z

Link: CVE-2026-30804

cve-icon Vulnrichment

Updated: 2026-04-13T19:23:01.976Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-13T16:16:25.487

Modified: 2026-04-22T14:34:12.303

Link: CVE-2026-30804

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-14T16:34:10Z

Weaknesses