Severity by source
CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:N/AU:N/R:U/V:C/RE:L/U:Amber
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:N/AU:N/R:U/V:C/RE:L/U:Amber
Lifecycle Timeline
3DescriptionCVE.org
Improper Neutralization of Special Elements used in an SQL Command vulnerability allows SQL Injection via graph container parameter. This issue affects Pandora FMS: from 777 through 800
AnalysisAI
SQL injection in Pandora FMS versions 777-800 allows authenticated attackers with low privileges to exfiltrate or manipulate database contents via the graph container parameter. Attack complexity is high with present attack techniques, requiring specific timing conditions. No active exploitation confirmed per CISA KEV, and EPSS data not provided. Vendor advisory available from PandoraFMS confirms the vulnerability affecting a narrow version range spanning approximately builds 777 through 800.
Technical ContextAI
Pandora FMS is an open-source infrastructure monitoring platform. This vulnerability stems from CWE-89 (Improper Neutralization of Special Elements in SQL Command), indicating the graph container parameter fails to sanitize user input before incorporating it into SQL queries. The CVSS 4.0 vector specifies network-based attack vector (AV:N) but requires authenticated low-privilege access (PR:L) and presents high attack complexity with present attack techniques (AC:H/AT:P). The affected CPE cpe:2.3:a:pandora_fms:pandora_fms identifies the core monitoring application. The graph container parameter likely relates to Pandora FMS's graphing and reporting functionality, where visualizations can be organized into containers. Vulnerable SQL query construction in this component enables injection attacks when authenticated users interact with graph management features.
RemediationAI
Upgrade Pandora FMS to version 801 or later, which remediates the SQL injection vulnerability in the graph container parameter handling. The vendor security advisory at https://pandorafms.com/en/security/common-vulnerabilities-and-exposures/ should contain specific upgrade instructions and release notes. If immediate patching is not feasible, implement compensating controls: restrict access to graph management functionality using role-based access controls to trusted administrators only (reducing attack surface by limiting who can interact with the vulnerable parameter); deploy web application firewall rules to detect and block SQL injection attempts in graph container parameters, though this provides defense-in-depth rather than complete protection and may generate false positives requiring tuning; monitor database query logs for suspicious patterns such as UNION statements, comment sequences, or time-based blind injection signatures in queries originating from graph-related application code, understanding this is detective not preventive and requires dedicated log analysis resources. Disabling graph container functionality entirely eliminates the attack vector but significantly reduces Pandora FMS operational utility for visualization workflows.
More in Pandora Fms
View allPandora FMS monitoring platform versions 700 through 777.6 contain a command injection vulnerability that allows OS comm
Improper Neutralization of Special Elements in the Netflow directory field may allow OS command injection. This issue af
An authenticated remote code execution vulnerability exists in Pandora FMS version 7.0NG and earlier. The net_tools.php
Artica Pandora FMS 7.44 allows remote command execution via the events feature. Rated high severity (CVSS 8.8), this vul
Arbitrary commands execution on the server by exploiting a command injection vulnerability in the LDAP authentication me
PandoraFMS <=7.54 allows arbitrary file upload, it leading to remote command execution via the File Manager. Rated criti
A SQL injection vulnerability in the pandora_console component of Artica Pandora FMS 742 allows an unauthenticated attac
Artica Pandora FMS 742 allows unauthenticated attackers to perform Phar deserialization. Rated critical severity (CVSS 9
Artica Pandora FMS before 743 allows unauthenticated attackers to conduct SQL injection attacks via the pandora_console/
Artica Pandora FMS 7.44 allows privilege escalation. Rated critical severity (CVSS 9.8), this vulnerability is remotely
Pandora FMS 7.0 NG <= 746 suffers from Multiple XSS vulnerabilities in different browser views. Rated critical severity
Artica Pandora FMS 7.44 has inadequate access controls on a web folder. Rated high severity (CVSS 7.5), this vulnerabili
Same weakness CWE-89 – SQL Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-29512
GHSA-wxjr-vrjv-wjm5