Which versions of Pandora Fms are affected by CVE-2026-30806?

Pandora FMS versions 777-800 contain a command injection vulnerability in Network Report functionality that allows low-privileged authenticated users to execute arbitrary system commands on the…

How to fix or mitigate CVE-2026-30806?

Within 24 hours: Inventory all Pandora FMS instances and identify those running versions 777-800; restrict Network Report access via firewall/WAF rules to trusted administrators only. Within 7 days: Contact Pandora FMS vendor for patch timeline and interim mitigation guidance; test deployment of input validation WAF rules if available. Within 30 days: Upgrade all affected instances to a version newer than 800 (pending vendor patch release confirmation); validate remediation by attempted command injection testing.

Pandora Fms CVE-2026-30806

Q: What is the CVSS score of CVE-2026-30806?

CVE-2026-30806 has a CVSS 4.0 base score of 8.7 (High). CVSS vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:L/SC:L/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:N/AU:Y/R:U/V:C/RE:M/U:Amber. EPSS exploitation probability: 0.6%.

EUVD-2026-21988 HIGH

OS Command Injection (CWE-78)

2026-04-13 PandoraFMS

Command Injection Pandora Fms

8.7

CVSS 4.0 · NVD

Severity by source

NVD PRIMARY

8.7 HIGH

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:L/SC:L/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:N/AU:Y/R:U/V:C/RE:M/U:Amber

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:L/SC:L/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:N/AU:Y/R:U/V:C/RE:M/U:Amber

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Lifecycle Timeline

Re-analysis Queued

Apr 17, 2026 - 15:52 vuln.today

cvss_changed

Analysis Generated

Apr 13, 2026 - 16:42 vuln.today

CVSS changed

Apr 13, 2026 - 16:22 NVD

8.7 (HIGH)

EUVD ID Assigned

Apr 13, 2026 - 16:15 euvd

EUVD-2026-21988

Analysis Generated

Apr 13, 2026 - 16:15 vuln.today

CVE Published

Apr 13, 2026 - 15:45 nvd

HIGH 8.7

DescriptionCVE.org

Improper Neutralization of Special Elements used in an OS Command vulnerability allows OS Command Injection via Network Report. This issue affects Pandora FMS: from 777 through 800

AnalysisAI

OS command injection in Pandora FMS versions 777 through 800 allows authenticated remote attackers to execute arbitrary system commands via the Network Report functionality. The vulnerability stems from improper input sanitization of special elements used in OS commands. …

Unlock full vulnerability intelligence

Risk assessment & exploitation conditions
Attack chain visualization
Remediation with exact patch versions
Threat intelligence from 22 sources
Personal watchlist & email alerts

Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access

Obtain low-privilege credentials

Delivery

Access Network Report feature

Exploit

Inject malicious OS commands in report parameters

Execution

Application executes commands without sanitization

Persist

Attacker gains code execution on monitoring server

Impact

Exfiltrate credentials and monitoring data