Description
Improper Neutralization of Special Elements used in an OS Command vulnerability allows OS Command Injection via Event Response execution. This issue affects Pandora FMS: from 777 through 800
Published: 2026-04-13
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: OS Command Injection
Action: Patch Immediately
AI Analysis

Impact

This vulnerability permits an attacker to inject arbitrary operating system commands through the Event Response execution mechanism in Pandora FMS. The injected commands are executed with the privileges of the Pandora FMS service, potentially leading to full compromise of the host. Being an OS Command Injection flaw (CWE‑78), the impact is high, reflected in a CVSS score of 7.5.

Affected Systems

Pandora FMS versions 777 through 800 are impacted. The problem has been corrected in the publicly released v800.1 and v801 updates. Any deployment running a vulnerable revision must upgrade to a patched version to eliminate the risk.

Risk and Exploitability

The CVSS base score of 7.5 indicates substantial risk, yet there is no EPSS data and the vulnerability is not listed in CISA's KEV catalog, suggesting no active exploitation. The likely attack vector is inferred to be remote exploitation via the Pandora FMS web interface or API that triggers Event Response execution, requiring the attacker to supply unsanitized input. Successful exploitation would allow arbitrary command execution on the host that runs the service.

Generated by OpenCVE AI on April 13, 2026 at 18:51 UTC.

Remediation

Vendor Solution

Fixed in v800.1 and v801 Pandora FMS versions

OpenCVE Recommended Actions

  • Apply the vendor patch v800.1 or v801 to Pandora FMS
  • Restart Pandora FMS services to ensure the patch takes effect

Generated by OpenCVE AI on April 13, 2026 at 18:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 14 Apr 2026 16:30:00 +0000

Type Values Removed Values Added
First Time appeared Pandora Fms
Pandora Fms pandora Fms
Vendors & Products Pandora Fms
Pandora Fms pandora Fms

Mon, 13 Apr 2026 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 13 Apr 2026 16:15:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Special Elements used in an OS Command vulnerability allows OS Command Injection via Event Response execution. This issue affects Pandora FMS: from 777 through 800
Title OS Command Injection in Event Response Execution
Weaknesses CWE-78
References
Metrics cvssV4_0

{'score': 7.5, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:H/VI:H/VA:L/SC:L/SI:L/SA:L/S:N/AU:N/R:U/V:C/RE:M/U:Amber'}

Subscriptions

Pandora Fms Pandora Fms
cve-icon MITRE

Status: PUBLISHED

Assigner: PandoraFMS

Published:

Updated: 2026-04-13T17:25:33.664Z

Reserved: 2026-03-26T10:40:59.131Z

Link: CVE-2026-34188

cve-icon Vulnrichment

Updated: 2026-04-13T17:25:29.682Z

cve-icon NVD

Status : Received

Published: 2026-04-13T16:16:27.487

Modified: 2026-04-13T16:16:27.487

Link: CVE-2026-34188

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-14T16:34:01Z

Weaknesses