Description
Improper Neutralization of Special Elements used in an OS Command vulnerability allows OS Command Injection via WebServerModuleDebug. This issue affects Pandora FMS: from 777 through 800
Published: 2026-04-13
Score: 8.7 High
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Apply Patch
AI Analysis

Impact

The vulnerability lies in improper sanitization of special characters, allowing an attacker to inject operating‑system commands via the WebServerModuleDebug endpoint, resulting in remote code execution. It is classified under CWE‑78.

Affected Systems

Pandora FMS systems running versions 777 through 800 are vulnerable. The vendor has released a fix in versions 800.1 and 801, and later releases contain the patch.

Risk and Exploitability

With a CVSS base score of 8.7 the issue carries high severity. Exploitation appears possible over the network through the debug module without a documented authentication, and the vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog.

Generated by OpenCVE AI on April 13, 2026 at 19:05 UTC.

Remediation

Vendor Solution

Fixed in v800.1 and v801 Pandora FMS versions

OpenCVE Recommended Actions

  • Upgrade to Pandora FMS 800.1 or later to apply the vendor‑issued fix.
  • If upgrading is not immediately possible, disable the WebServerModuleDebug component or restrict access to trusted IPs using firewall or reverse proxy settings.

Generated by OpenCVE AI on April 13, 2026 at 19:05 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 22 Apr 2026 14:45:00 +0000

Type Values Removed Values Added
First Time appeared Artica
Artica pandora Fms
CPEs cpe:2.3:a:artica:pandora_fms:*:*:*:*:*:*:*:*
Vendors & Products Artica
Artica pandora Fms
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Tue, 14 Apr 2026 16:30:00 +0000

Type Values Removed Values Added
First Time appeared Pandora Fms
Pandora Fms pandora Fms
Vendors & Products Pandora Fms
Pandora Fms pandora Fms

Mon, 13 Apr 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 13 Apr 2026 16:15:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Special Elements used in an OS Command vulnerability allows OS Command Injection via WebServerModuleDebug. This issue affects Pandora FMS: from 777 through 800
Title OS Command Injection in WebServerModuleDebug via Blacklist Bypass leads to Remote Code Execution
Weaknesses CWE-78
References
Metrics cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:L/SC:L/SI:L/SA:L/S:N/AU:Y/R:U/V:C/RE:M/U:Amber'}

Subscriptions

Artica Pandora Fms
Pandora Fms Pandora Fms
cve-icon MITRE

Status: PUBLISHED

Assigner: PandoraFMS

Published:

Updated: 2026-04-13T18:05:50.375Z

Reserved: 2026-03-05T16:16:01.151Z

Link: CVE-2026-30809

cve-icon Vulnrichment

Updated: 2026-04-13T18:05:39.910Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-13T16:16:25.853

Modified: 2026-04-22T14:35:40.233

Link: CVE-2026-30809

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-14T16:34:06Z

Weaknesses