Description
Improper Neutralization of Special Elements used in an OS Command vulnerability allows OS Command Injection via Network Report. This issue affects Pandora FMS: from 777 through 800
Published: 2026-04-13
Score: 8.7 High
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Apply Patch
AI Analysis

Impact

An improper handling of special elements in the Network Report feature allows an attacker to inject operating system commands, which is a classic OS command injection flaw. This flaw enables the execution of arbitrary shell commands, giving an attacker complete control over the affected server. The weakness is identified as CWE‑78, the standard classification for this type of vulnerability.

Affected Systems

Pandora FMS versions from 777 through 800 are vulnerable due to the Network Report module. The issue exists in all deployments of these versions, regardless of platform, unless or until the system is upgraded to v800.1 or v801.

Risk and Exploitability

The CVSS score of 8.7 classifies this as a high‑severity vulnerability. EPSS data is not available, and it is not listed in the KEV catalog, so while the exact exploitation probability is not quantified, the flaw allows attackers who can reach the Network Report endpoint to trigger remote code execution, likely through the web interface or API. This provides a serious threat to confidentiality, integrity, and availability for affected systems.

Generated by OpenCVE AI on April 13, 2026 at 19:06 UTC.

Remediation

Vendor Solution

Fixed in v800.1 and v801 Pandora FMS versions

OpenCVE Recommended Actions

  • Upgrade Pandora FMS to v800.1 or later (v801) to apply the vendor‑issued fix for the OS command injection flaw.
  • Restrict access to the Network Report functionality to trusted administrators only.
  • Monitor web and system logs for unexpected command execution attempts.

Generated by OpenCVE AI on April 13, 2026 at 19:06 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 22 Apr 2026 14:45:00 +0000

Type Values Removed Values Added
First Time appeared Artica
Artica pandora Fms
CPEs cpe:2.3:a:artica:pandora_fms:*:*:*:*:*:*:*:*
Vendors & Products Artica
Artica pandora Fms
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Tue, 14 Apr 2026 16:30:00 +0000

Type Values Removed Values Added
First Time appeared Pandora Fms
Pandora Fms pandora Fms
Vendors & Products Pandora Fms
Pandora Fms pandora Fms

Mon, 13 Apr 2026 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 13 Apr 2026 16:15:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Special Elements used in an OS Command vulnerability allows OS Command Injection via Network Report. This issue affects Pandora FMS: from 777 through 800
Title OS Command Injection in Network Report leads to Remote Code Execution
Weaknesses CWE-78
References
Metrics cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:L/SC:L/SI:L/SA:L/S:N/AU:Y/R:U/V:C/RE:M/U:Amber'}

Subscriptions

Artica Pandora Fms
Pandora Fms Pandora Fms
cve-icon MITRE

Status: PUBLISHED

Assigner: PandoraFMS

Published:

Updated: 2026-04-13T18:08:02.082Z

Reserved: 2026-03-05T16:16:01.150Z

Link: CVE-2026-30806

cve-icon Vulnrichment

Updated: 2026-04-13T18:07:22.972Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-13T16:16:25.680

Modified: 2026-04-22T14:35:07.933

Link: CVE-2026-30806

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-14T16:34:08Z

Weaknesses