Description
Cross-Site Request Forgery vulnerability allows an attacker to perform unauthorized actions via crafted web page. This issue affects Pandora FMS: from 777 through 800
Published: 2026-05-12
Score: 7.1 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Pandora FMS versions 777 through 800 contain a Cross‑Site Request Forgery flaw that allows an attacker to follow a crafted web page and cause the victim’s browser to perform privileged actions without the victim’s consent. The vulnerability permits unauthorized integrity‑violating operations, such as modifying configuration, creating users, or accessing sensitive data, and is categorized as CWE‑352.

Affected Systems

All deployments of Pandora FMS from version 777 up to and including 800 are affected. The vendor lists the vulnerable product as Pandora FMS.

Risk and Exploitability

The CVSS score is 7.1, indicating high severity. The EPSS score is not available, so the likelihood of exploitation cannot be quantified precisely; the vulnerability is not listed in the CISA KEV catalog. Because CSRF exploits generally require the victim to be authenticated and to be visiting a malicious link, the attack vector is inferred to be web‑based and likely relies on a logged‑in user’s session. The vulnerability does not require network‑level access and can be triggered remotely by an attacker who lures the victim to a malicious URL.

Generated by OpenCVE AI on May 12, 2026 at 18:05 UTC.

Remediation

Vendor Solution

Fixed in v802 and v800.2

OpenCVE Recommended Actions

  • Upgrade Pandora FMS to version 802 or 800.2 to apply the official fix.
  • If an upgrade cannot be performed immediately, restrict access to extension pages so that only authenticated administrators can reach them and ensure that any state‑changing actions are protected with a CSRF token.
  • Continuously monitor application logs for unexpected changes or configuration modifications that could indicate an attempted CSRF exploitation.

Generated by OpenCVE AI on May 12, 2026 at 18:05 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 12 May 2026 21:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 12 May 2026 18:00:00 +0000

Type Values Removed Values Added
First Time appeared Pandora Fms
Pandora Fms pandora Fms
Vendors & Products Pandora Fms
Pandora Fms pandora Fms

Tue, 12 May 2026 16:00:00 +0000

Type Values Removed Values Added
Description Cross-Site Request Forgery vulnerability allows an attacker to perform unauthorized actions via crafted web page. This issue affects Pandora FMS: from 777 through 800
Title Cross-Site Request Forgery on Extension Pages
Weaknesses CWE-352
References
Metrics cvssV4_0

{'score': 7.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N/S:N/AU:N/R:U/V:C/RE:L/U:Amber'}

Subscriptions

Pandora Fms Pandora Fms
cve-icon MITRE

Status: PUBLISHED

Assigner: PandoraFMS

Published:

Updated: 2026-05-12T19:36:49.544Z

Reserved: 2026-03-05T16:16:01.150Z

Link: CVE-2026-30807

cve-icon Vulnrichment

Updated: 2026-05-12T19:36:40.690Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-05-12T16:16:12.833

Modified: 2026-05-12T16:47:47.137

Link: CVE-2026-30807

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-12T18:15:21Z

Weaknesses