Description
Improper Neutralization of Special Elements used in an SQL Command vulnerability allows SQL Injection via module search. This issue affects Pandora FMS: from 777 through 800
Published: 2026-04-13
Score: 8.7 High
EPSS: < 1% Very Low
KEV: No
Impact: Database Compromise
Action: Immediate Patch
AI Analysis

Impact

The vulnerability is a SQL injection via the module search function in Pandora FMS. Improper neutralization of special elements in the SQL command allows attackers to inject arbitrary SQL statements. This flaw can be used to read, modify, or delete database contents, potentially leading to full database compromise. The weakness corresponds to CWE‑89 (SQL Injection).

Affected Systems

The flaw affects all Pandora FMS releases from version 777 up to 800 inclusive. Versions 800.1 and 801 contain the fix. The affected vendor is Pandora FMS.

Risk and Exploitability

The reported CVSS score is 8.7, indicating a high severity. No EPSS score is available, and the vulnerability is not listed in CISA’s KEV catalog, suggesting it is not known to be actively exploited in the wild. The attack vector can be inferred to be remote, as the module search endpoint is accessed over the network. An attacker only needs to supply a specially crafted search query; no authentication or special privileges are required according to the description, making the exploit straightforward for anyone with network access to the application.

Generated by OpenCVE AI on April 13, 2026 at 18:37 UTC.

Remediation

Vendor Solution

Fixed in v800.1 and v801 Pandora FMS versions

OpenCVE Recommended Actions

  • Apply the vendor patch that brings the system to Pandora FMS v800.1 or v801.
  • Upgrade all eligible installations to the patched versions if a patch rollout is pending.
  • If a patch or upgrade cannot be performed immediately, restrict network access to the module search endpoint or block the URL entirely to prevent unauthenticated exploitation.
  • Consider implementing input validation or escaping on the module search parameter as an additional defensive measure.

Generated by OpenCVE AI on April 13, 2026 at 18:37 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 22 Apr 2026 14:45:00 +0000

Type Values Removed Values Added
First Time appeared Artica
Artica pandora Fms
CPEs cpe:2.3:a:artica:pandora_fms:*:*:*:*:*:*:*:*
Vendors & Products Artica
Artica pandora Fms
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Tue, 14 Apr 2026 16:30:00 +0000

Type Values Removed Values Added
First Time appeared Pandora Fms
Pandora Fms pandora Fms
Vendors & Products Pandora Fms
Pandora Fms pandora Fms

Mon, 13 Apr 2026 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 13 Apr 2026 16:15:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Special Elements used in an SQL Command vulnerability allows SQL Injection via module search. This issue affects Pandora FMS: from 777 through 800
Title SQL Injection in Module Search leads to Database Compromise
Weaknesses CWE-89
References
Metrics cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:L/SC:L/SI:L/SA:L/S:N/AU:Y/R:U/V:C/RE:L/U:Amber'}

Subscriptions

Artica Pandora Fms
Pandora Fms Pandora Fms
cve-icon MITRE

Status: PUBLISHED

Assigner: PandoraFMS

Published:

Updated: 2026-04-13T17:42:09.162Z

Reserved: 2026-03-05T16:16:01.151Z

Link: CVE-2026-30813

cve-icon Vulnrichment

Updated: 2026-04-13T17:42:04.969Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-13T16:16:26.303

Modified: 2026-04-22T14:37:22.863

Link: CVE-2026-30813

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-14T16:34:03Z

Weaknesses