Description
Improper Neutralization of Input During Web Page Generation vulnerability allows Stored Cross-Site Scripting via event comments. This issue affects Pandora FMS: from 777 through 800
Published: 2026-04-13
Score: 2.1 Low
EPSS: < 1% Very Low
KEV: No
Impact: Stored Cross‑Site Scripting
Action: Patch Upgrade
AI Analysis

Impact

The vulnerability arises from improper neutralization of user-supplied input when rendering event comments in Pandora FMS, enabling an attacker to inject and store malicious scripts that will execute in the browser context of any user who views the affected comment. This stored XSS flaw is tagged as CWE‑79 and can facilitate client‑side attacks such as session hijacking, defacement, or the delivery of malicious content. The impact is confined to users who access the edited event comments; it does not provide direct server‑side code execution or privilege escalation.

Affected Systems

Pandora FMS is affected by this defect. The flaw exists in all releases from version 777 up through 800 inclusive. Versions v800.1 and later include the vendor’s fix and are not impacted.

Risk and Exploitability

The officially assigned CVSS score is 2.1, indicating low overall severity. No EPSS data is available, and the vulnerability is not listed in the CISA KEV catalog. The likely attack vector is through a web browser accessed by users having permission to view event comments. Successful exploitation requires an attacker to obtain write access to the comment field or otherwise insert malicious payloads, after which the payload will be served to other users. While the probability of exploitation may be moderate in environments with weak input validation policies, the overall risk remains low due to the need for user interaction.

Generated by OpenCVE AI on April 13, 2026 at 18:37 UTC.

Remediation

Vendor Solution

Fixed in v800.1 and v801 Pandora FMS versions

OpenCVE Recommended Actions

  • Upgrade Pandora FMS to version 800.1 or later

Generated by OpenCVE AI on April 13, 2026 at 18:37 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 22 Apr 2026 14:45:00 +0000

Type Values Removed Values Added
First Time appeared Artica
Artica pandora Fms
CPEs cpe:2.3:a:artica:pandora_fms:*:*:*:*:*:*:*:*
Vendors & Products Artica
Artica pandora Fms
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N'}

Tue, 14 Apr 2026 16:30:00 +0000

Type Values Removed Values Added
First Time appeared Pandora Fms
Pandora Fms pandora Fms
Vendors & Products Pandora Fms
Pandora Fms pandora Fms

Mon, 13 Apr 2026 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 13 Apr 2026 16:15:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation vulnerability allows Stored Cross-Site Scripting via event comments. This issue affects Pandora FMS: from 777 through 800
Title Stored Cross-Site Scripting in Event Comments via Filter Bypass
Weaknesses CWE-79
References
Metrics cvssV4_0

{'score': 2.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/S:N/AU:N/R:A/V:D/RE:L/U:Amber'}

Subscriptions

Artica Pandora Fms
Pandora Fms Pandora Fms
cve-icon MITRE

Status: PUBLISHED

Assigner: PandoraFMS

Published:

Updated: 2026-04-13T17:55:20.404Z

Reserved: 2026-03-05T16:16:01.151Z

Link: CVE-2026-30812

cve-icon Vulnrichment

Updated: 2026-04-13T17:55:15.593Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-13T16:16:26.147

Modified: 2026-04-22T14:36:08.760

Link: CVE-2026-30812

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-14T16:34:04Z

Weaknesses