CVE-2026-36827 - Vulnerability Details

Description

A command injection vulnerability exists in Panabit PAP-XM320 up to and including V7.7. The web management interface invokes the backend helper /usr/sbin/pappiw and passes user-controlled parameters to it. The helper performs unsafe argument processing using eval, which allows command injection when attacker-controlled input is included in the arguments. As a result, an authenticated remote attacker with access to the management interface may execute arbitrary shell commands.

Published: 2026-05-19

Score: 5.4 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The vulnerability is a command injection flaw that occurs when the web management interface of Panabit PAP‑XM320 passes user‑controlled data to a backend helper program via the shell. The helper uses unsafe eval logic, enabling an attacker to inject arbitrary shell commands. An attacker who can authenticate to the management interface can therefore execute any command on the device, potentially compromising the entire system.

Affected Systems

Panabit PAP‑XM320 devices running firmware versions V7.7 or earlier are affected. The vulnerability exists in the web interface that sends user input to the /usr/sbin/pappiw helper.

Risk and Exploitability

The flaw requires authentication to the web interface, but once authenticated the attacker can run arbitrary code. The EPSS score is not available. The vulnerability is not listed in the CISA KEV catalog. The CVSS score is 5.4, indicating a medium severity. Given the high potential impact of remote code execution and the fact that the interface is exposed to the Internet, the risk to affected deployments is significant.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

n/a

affected

Version	Status	Constraints
`n/a`	affected	—

No data.

Vendor Product Confidence Versions

Panabit

Pap-xm320

80%

Version	Status	Scheme	Platform
`[0,7.7]`	affected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Apply a firmware upgrade that removes the insecure /usr/sbin/pappiw helper or patches its argument handling, preferably to a version later than V7.7.
Restrict access to the web management interface to trusted IP addresses and re‑enable multi‑factor authentication if available to reduce the chance of unauthorized access.
If an upgrade is not immediately possible, disable the web management interface or, where feasible, change the default credentials to hard‑to‑guess values and monitor the device for suspicious command execution.

Generated by OpenCVE AI on May 19, 2026 at 20:52 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.0016.

Exploitation poc

Automatable no

Technical Impact partial

References

Link	Providers
https://secreu.notion.site/CVE-2026-36827-3652c0ab46158036a888ef4a12b104bf
https://www.panabit.com/

History

Wed, 20 May 2026 11:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Panabit Panabit pap-xm320
Vendors & Products		Panabit Panabit pap-xm320

Tue, 19 May 2026 21:15:00 +0000

Type	Values Removed	Values Added
Title	Command Injection in Panabit PAP‑XM320 Web Interface Allows Remote Authenticated Attacker to Execute Arbitrary Shell Commands

Tue, 19 May 2026 19:30:00 +0000

Type	Values Removed	Values Added
Metrics		cvssV3_1 `{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N'}` ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Tue, 19 May 2026 18:15:00 +0000

Type	Values Removed	Values Added
Title		Command Injection in Panabit PAP‑XM320 Web Interface Allows Remote Authenticated Attacker to Execute Arbitrary Shell Commands
Weaknesses		CWE-78

Tue, 19 May 2026 16:45:00 +0000

Type	Values Removed	Values Added
Description		A command injection vulnerability exists in Panabit PAP-XM320 up to and including V7.7. The web management interface invokes the backend helper /usr/sbin/pappiw and passes user-controlled parameters to it. The helper performs unsafe argument processing using eval, which allows command injection when attacker-controlled input is included in the arguments. As a result, an authenticated remote attacker with access to the management interface may execute arbitrary shell commands.
References		https://secreu.notion.site/CVE-2026-36827-3652c0ab46158036a888ef4a12b104bf https://www.panabit.com/

Subscriptions

Panabit Pap-xm320

MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2026-05-19T00:00:00.000Z

Updated: 2026-05-19T18:35:09.285Z

Reserved: 2026-04-06T00:00:00.000Z

Link: CVE-2026-36827

Vulnrichment

Updated: 2026-05-19T18:35:03.277Z

NVD

Status : Deferred

Published: 2026-05-19T17:16:21.937

Modified: 2026-05-19T19:16:50.047

Link: CVE-2026-36827

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-05-20T10:39:44Z

Weaknesses

CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction None

Exploitation poc

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object