Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:L/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:N/AU:Y/R:U/V:C/RE:M/U:Amber
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:L/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:N/AU:Y/R:U/V:C/RE:M/U:Amber
Lifecycle Timeline
3DescriptionCVE.org
Server-Side Request Forgery vulnerability allows Privilege Escalation via API Checker extension. This issue affects Pandora FMS: from 777 through 800
AnalysisAI
Server-Side Request Forgery (SSRF) in Pandora FMS versions 777-800 enables authenticated attackers to escalate privileges through the API Checker extension. Attackers with low-privilege network access can force the server to make arbitrary requests, potentially accessing internal resources and escalating to higher confidentiality impact (CVSS VC:H). EPSS data not available; no confirmed active exploitation (not in CISA KEV). Vendor has acknowledged the issue per PandoraFMS security advisory, indicating patch development is likely underway.
Technical ContextAI
This vulnerability affects the API Checker extension in Pandora FMS (Flexible Monitoring System), an enterprise monitoring platform. The flaw is classified as CWE-918 (Server-Side Request Forgery), where insufficient validation allows authenticated users to manipulate server-side HTTP requests. The SSRF occurs when the API Checker extension fails to properly sanitize or restrict target URLs, enabling attackers to abuse the server's trust relationships to access internal services, cloud metadata endpoints (e.g., AWS IMDSv1), or bypass network segmentation. The CPE string (cpe:2.3:a:pandora_fms:pandora_fms:*:*:*:*:*:*:*:*) indicates all deployment types across versions 777-800 are vulnerable, representing approximately 23 version releases of the platform.
RemediationAI
Consult the official Pandora FMS security advisory at https://pandorafms.com/en/security/common-vulnerabilities-and-exposures/ for patch availability and specific remediation guidance. Vendor-released patch availability not independently confirmed from available data - contact Pandora FMS support for update timeline to versions beyond 800. Immediate compensating controls: (1) Restrict network access to the API Checker extension interface to trusted administrator IPs only via firewall rules or reverse proxy ACLs, reducing attack surface but limiting legitimate remote administration capabilities. (2) Implement egress filtering on the Pandora FMS server to block outbound requests to RFC1918 private ranges (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16), link-local addresses (169.254.0.0/16), and cloud metadata endpoints (169.254.169.254) - this prevents internal reconnaissance but may break legitimate monitoring of internal APIs if API Checker is used for that purpose. (3) Review and reduce privileges of Pandora FMS user accounts to minimum necessary, limiting the population of PR:L accounts that can exploit the vulnerability. (4) Enable detailed logging for API Checker extension usage and monitor for unusual destination URLs or high-frequency requests indicating exploitation attempts.
More in Pandora Fms
View allPandora FMS monitoring platform versions 700 through 777.6 contain a command injection vulnerability that allows OS comm
Improper Neutralization of Special Elements in the Netflow directory field may allow OS command injection. This issue af
An authenticated remote code execution vulnerability exists in Pandora FMS version 7.0NG and earlier. The net_tools.php
Artica Pandora FMS 7.44 allows remote command execution via the events feature. Rated high severity (CVSS 8.8), this vul
Arbitrary commands execution on the server by exploiting a command injection vulnerability in the LDAP authentication me
PandoraFMS <=7.54 allows arbitrary file upload, it leading to remote command execution via the File Manager. Rated criti
A SQL injection vulnerability in the pandora_console component of Artica Pandora FMS 742 allows an unauthenticated attac
Artica Pandora FMS 742 allows unauthenticated attackers to perform Phar deserialization. Rated critical severity (CVSS 9
Artica Pandora FMS before 743 allows unauthenticated attackers to conduct SQL injection attacks via the pandora_console/
Artica Pandora FMS 7.44 allows privilege escalation. Rated critical severity (CVSS 9.8), this vulnerability is remotely
Pandora FMS 7.0 NG <= 746 suffers from Multiple XSS vulnerabilities in different browser views. Rated critical severity
Artica Pandora FMS 7.44 has inadequate access controls on a web folder. Rated high severity (CVSS 7.5), this vulnerabili
Same weakness CWE-918 – Server-Side Request Forgery (SSRF)
View allSame technique Privilege Escalation
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-29497
GHSA-xvxp-pj7j-gmjj