Which versions of Pandora Fms are affected by CVE-2026-34186?

Pandora FMS versions 777-800 contain a high-severity SQL injection vulnerability (CVSS 8.7) accessible to authenticated users that could allow attackers to extract sensitive monitoring data, alter…

How to fix or mitigate CVE-2026-34186?

Within 24 hours: inventory all Pandora FMS deployments and document versions 777-800 in use; restrict network access to Pandora FMS web interfaces to trusted IP ranges or VPN only. Within 7 days: disable or revoke low-privilege user accounts not essential for operations; apply input validation and SQL parameterization reviews to custom field handling. Within 30 days: monitor vendor advisories for patch release targeting versions 777-800; prepare testing and deployment procedures for patched versions; consider upgrading to a version outside the affected range if patches remain unavailable.

Pandora Fms CVE-2026-34186

Q: What is the CVSS score of CVE-2026-34186?

CVE-2026-34186 has a CVSS 4.0 base score of 8.7 (High). CVSS vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:L/SC:L/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:N/AU:Y/R:U/V:C/RE:L/U:Amber. EPSS exploitation probability: 0.0%.

EUVD-2026-21998 HIGH

SQL Injection (CWE-89)

2026-04-13 PandoraFMS

GHSA-4hgf-5jwc-7v3g

SQLi Pandora Fms

8.7

CVSS 4.0 · NVD

Severity by source

NVD PRIMARY

8.7 HIGH

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:L/SC:L/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:N/AU:Y/R:U/V:C/RE:L/U:Amber

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:L/SC:L/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:N/AU:Y/R:U/V:C/RE:L/U:Amber

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Lifecycle Timeline

Re-analysis Queued

Apr 17, 2026 - 15:52 vuln.today

cvss_changed

Analysis Generated

Apr 13, 2026 - 16:43 vuln.today

CVSS changed

Apr 13, 2026 - 16:22 NVD

8.7 (HIGH)

EUVD ID Assigned

Apr 13, 2026 - 16:15 euvd

EUVD-2026-21998

Analysis Generated

Apr 13, 2026 - 16:15 vuln.today

CVE Published

Apr 13, 2026 - 15:49 nvd

HIGH 8.7

DescriptionCVE.org

Improper Neutralization of Special Elements used in an SQL Command vulnerability allows SQL Injection via custom fields. This issue affects Pandora FMS: from 777 through 800

AnalysisAI

SQL injection in Pandora FMS versions 777 through 800 enables authenticated remote attackers to execute arbitrary SQL commands via specially crafted custom field inputs, potentially exposing sensitive monitoring data, modifying database contents, or compromising the underlying infrastructure management system. The vulnerability requires low-privilege authentication (PR:L) but has high confidentiality and integrity impact across the monitoring platform. …

Unlock full vulnerability intelligence

Risk assessment & exploitation conditions
Attack chain visualization
Remediation with exact patch versions
Threat intelligence from 22 sources
Personal watchlist & email alerts

Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Recon

Obtain low-privilege Pandora FMS credentials

Delivery

Authenticate to web interface

Exploit

Navigate to custom fields management

Install

Inject SQL payload into field parameter

Application executes malicious query

Execute

Extract database contents or modify records

Impact

Pivot using exposed credentials