Description
Improper Neutralization of Special Elements used in an SQL Command vulnerability allows SQL Injection via graph container parameter. This issue affects Pandora FMS: from 777 through 800
Published: 2026-05-12
Score: 7.6 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is an SQL injection flaw in the graph container parameter. An attacker who can supply or influence this parameter could inject arbitrary SQL code. The primary consequence is the ability to read, modify, or delete data stored in the database, potentially leading to data leakage or tampering. The weakness is a classic input validation issue classified as CWE-89.

Affected Systems

Pandora FMS versions 777 through 800 are affected. The fix is available in v802 and v800.2. These versions expose the graph container endpoint without proper sanitization. Users running any intermediary build between 777 and 800 remain vulnerable until updated.

Risk and Exploitability

The CVSS score of 7.6 indicates high impact and medium to high exploitation potential. The EPSS score is not provided, so the exact market exploitation probability is unknown but the bug is significant. It is not listed in the CISA KEV catalog, indicating no publicly known, widespread exploitation yet. The likely attack vector is through the web interface where the graph container parameter can be supplied by an authenticated or unauthenticated user, depending on the application’s access controls. If the application allows untrusted input, an attacker could leverage this injection to compromise the database.

Generated by OpenCVE AI on May 12, 2026 at 17:42 UTC.

Remediation

Vendor Solution

Fixed in v802 and v800.2

OpenCVE Recommended Actions

  • Upgrade Pandora FMS to v802 or apply the v800.2 fix
  • If upgrading immediately is not possible, disable or restrict use of the graph container feature until a patch is applied
  • After updating, validate that the input handling for graph parameters employs parameterized queries or other mitigations for SQL injection evidenced by the absence of CWE-89 in future code analysis

Generated by OpenCVE AI on May 12, 2026 at 17:42 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 12 May 2026 21:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 12 May 2026 18:15:00 +0000

Type Values Removed Values Added
First Time appeared Pandora Fms
Pandora Fms pandora Fms
Vendors & Products Pandora Fms
Pandora Fms pandora Fms

Tue, 12 May 2026 16:00:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Special Elements used in an SQL Command vulnerability allows SQL Injection via graph container parameter. This issue affects Pandora FMS: from 777 through 800
Title SQL Injection in Graph Container Parameter
Weaknesses CWE-89
References
Metrics cvssV4_0

{'score': 7.6, 'vector': 'CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/S:N/AU:N/R:U/V:C/RE:L/U:Amber'}

Subscriptions

Pandora Fms Pandora Fms
cve-icon MITRE

Status: PUBLISHED

Assigner: PandoraFMS

Published:

Updated: 2026-05-12T19:42:31.682Z

Reserved: 2026-03-26T10:40:59.131Z

Link: CVE-2026-34187

cve-icon Vulnrichment

Updated: 2026-05-12T19:42:26.889Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-05-12T16:16:14.800

Modified: 2026-05-12T16:47:47.137

Link: CVE-2026-34187

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-12T18:00:11Z

Weaknesses