Skip to main content

Pandora FMS CVE-2026-30808

| EUVDEUVD-2026-29496 HIGH
Session Fixation (CWE-384)
2026-05-12 PandoraFMS GHSA-j2qp-cx58-m78p
7.6
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
7.6 HIGH
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:N/AU:N/R:U/V:C/RE:L/U:Amber

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:N/AU:N/R:U/V:C/RE:L/U:Amber
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
P
Scope
N

Lifecycle Timeline

3
Analysis Generated
May 12, 2026 - 16:33 vuln.today
CVSS changed
May 12, 2026 - 16:22 NVD
7.6 (HIGH)
CVE Published
May 12, 2026 - 15:11 nvd
HIGH 7.6

DescriptionCVE.org

Session Fixation vulnerability allows Session Hijacking via crafted session ID. This issue affects Pandora FMS: from 777 through 800

AnalysisAI

Session fixation in Pandora FMS versions 777-800 enables session hijacking when attackers supply crafted session IDs to users. Successful exploitation grants attackers complete access to victim user sessions with high confidentiality and integrity impact. No public exploit code identified at time of analysis, though attack complexity is low with network-based delivery requiring only user interaction (CVSS 7.6).

Technical ContextAI

Session fixation (CWE-384) occurs when an application accepts externally-supplied session identifiers without proper regeneration upon authentication. In Pandora FMS - an open-source network monitoring platform - versions 777 through 800 fail to regenerate session tokens after login, allowing attackers to pre-set session IDs. The CVSS 4.0 vector shows network attack vector (AV:N), low complexity (AC:L), present attack requirements (AT:P), and required user interaction (UI:P), indicating the application accepts session IDs from URL parameters or cookies without validation. The affected CPE (cpe:2.3:a:pandora_fms:pandora_fms) confirms this targets the core Pandora FMS application across the specified version range.

RemediationAI

Upgrade Pandora FMS to version 801 or later, which presumably addresses the session fixation vulnerability (version inferred from 'through 800' statement - exact patched version not independently confirmed in provided data). Consult the Pandora FMS security advisory at https://pandorafms.com/en/security/common-vulnerabilities-and-exposures/ for official upgrade instructions and release notes. If immediate patching is infeasible, implement compensating controls: configure web application firewall rules to block session ID parameters in URLs (sid, sessionid, PHPSESSID patterns), enforce session regeneration through reverse proxy layer using mod_session or equivalent, and restrict Pandora FMS access to trusted networks via IP allowlisting. Note these mitigations reduce but do not eliminate risk, as cookie-based fixation may still be possible. Enable HTTP Strict Transport Security and secure cookie flags (HttpOnly, Secure, SameSite=Strict) to limit session token leakage vectors. Monitor authentication logs for suspicious session activity patterns such as session reuse across disparate IP addresses.

CVE-2017-12965 CRITICAL POC
9.8 Aug 23

Session fixation vulnerability in Apache2Triad 1.5.4 allows remote attackers to hijack web sessions via the PHPSESSID pa

CVE-2025-28242 CRITICAL POC
9.8 Apr 18

Improper session management in the /login_ok.htm endpoint of DAEnetIP4 METO v1.25 allows attackers to execute a session

CVE-2022-40916 CRITICAL POC
9.8 Feb 06

Tiny File Manager v2.4.7 and below is vulnerable to session fixation. Rated critical severity (CVSS 9.8), this vulnerabi

CVE-2025-45949 CRITICAL POC
9.8 Apr 28

A critical vulnerability was found in PHPGurukul User Registration & Login and User Management System V3.3 in the /login

CVE-2023-48929 CRITICAL POC
9.8 Dec 08

Franklin Fueling Systems System Sentinel AnyWare (SSA) version 1.6.24.492 is vulnerable to Session Fixation. Rated criti

CVE-2023-41012 CRITICAL POC
9.8 Sep 05

An issue in China Mobile Communications China Mobile Intelligent Home Gateway v.HG6543C4 allows a remote attacker to exe

CVE-2023-31498 CRITICAL POC
9.8 May 11

A privilege escalation issue was found in PHP Gurukul Hospital Management System In v.4.0 allows a remote attacker to ex

CVE-2022-3269 CRITICAL POC
9.8 Sep 23

Session Fixation in GitHub repository ikus060/rdiffweb prior to 2.4.7. Rated critical severity (CVSS 9.8), this vulnerab

CVE-2021-39290 CRITICAL POC
9.8 Aug 23

Certain NetModule devices allow Limited Session Fixation via PHPSESSID. Rated critical severity (CVSS 9.8), this vulnera

CVE-2020-11729 CRITICAL POC
9.8 Apr 15

An issue was discovered in DAViCal Andrew's Web Libraries (AWL) through 0.60. Rated critical severity (CVSS 9.8), this v

CVE-2019-18418 CRITICAL POC
9.8 Oct 24

clonos.php in ClonOS WEB control panel 19.09 allows remote attackers to gain full access via change password requests be

CVE-2018-18925 CRITICAL POC
9.8 Nov 04

Gogs 0.11.66 allows remote code execution because it does not properly validate session IDs, as demonstrated by a ".." s

Share

CVE-2026-30808 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy