Description
Improper Neutralization of Special Elements used in an SQL Command vulnerability allows SQL Injection via custom fields. This issue affects Pandora FMS: from 777 through 800
Published: 2026-04-13
Score: 8.7 High
EPSS: < 1% Very Low
KEV: No
Impact: SQL Injection leading to Database Compromise
Action: Immediate Patch
AI Analysis

Impact

An improperly neutralized special element in an SQL command allows attackers to inject malicious SQL via custom fields, potentially enabling them to read or alter the underlying database. The vulnerability could lead to data leakage, unauthorized writes, or complete loss of database integrity.

Affected Systems

Pandora FMS products are affected, specifically versions from 777 through 800 inclusive. The vendor has addressed the issue in the 800.1 and 801 releases.

Risk and Exploitability

The CVSS score of 8.7 indicates a high severity risk. No EPSS score is provided, and the vulnerability is not listed in the CISA KEV catalog. Based on the description, the likely attack vector is submitting malicious input through the web interface’s custom field functionality, which a remote attacker could exploit to gain unauthorized database access and potentially compromise the entire system.

Generated by OpenCVE AI on April 13, 2026 at 18:52 UTC.

Remediation

Vendor Solution

Fixed in v800.1 and v801 Pandora FMS versions

OpenCVE Recommended Actions

  • Upgrade to Pandora FMS version 800.1 or later to apply the vendor patch

Generated by OpenCVE AI on April 13, 2026 at 18:52 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 22 Apr 2026 14:45:00 +0000

Type Values Removed Values Added
First Time appeared Artica
Artica pandora Fms
CPEs cpe:2.3:a:artica:pandora_fms:*:*:*:*:*:*:*:*
Vendors & Products Artica
Artica pandora Fms
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Tue, 14 Apr 2026 16:30:00 +0000

Type Values Removed Values Added
First Time appeared Pandora Fms
Pandora Fms pandora Fms
Vendors & Products Pandora Fms
Pandora Fms pandora Fms

Mon, 13 Apr 2026 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 13 Apr 2026 16:15:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Special Elements used in an SQL Command vulnerability allows SQL Injection via custom fields. This issue affects Pandora FMS: from 777 through 800
Title SQL Injection in Custom Fields leads to Database Compromise
Weaknesses CWE-89
References
Metrics cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:L/SC:L/SI:L/SA:L/S:N/AU:Y/R:U/V:C/RE:L/U:Amber'}

Subscriptions

Artica Pandora Fms
Pandora Fms Pandora Fms
cve-icon MITRE

Status: PUBLISHED

Assigner: PandoraFMS

Published:

Updated: 2026-04-13T17:30:29.986Z

Reserved: 2026-03-26T10:40:59.130Z

Link: CVE-2026-34186

cve-icon Vulnrichment

Updated: 2026-04-13T17:30:23.570Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-13T16:16:27.343

Modified: 2026-04-22T14:37:55.947

Link: CVE-2026-34186

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-14T16:34:02Z

Weaknesses