Skip to main content

Panabit PAP-XM320 CVE-2026-36827

| EUVDEUVD-2026-30951 MEDIUM
OS Command Injection (CWE-78)
2026-05-19 mitre GHSA-56xv-fjpq-3r4m
5.4
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.4 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

3
Analysis Generated
May 19, 2026 - 19:23 vuln.today
CVSS changed
May 19, 2026 - 19:22 NVD
5.4 (MEDIUM)
CVE Published
May 19, 2026 - 00:00 nvd
UNKNOWN (no severity yet)

DescriptionCVE.org

A command injection vulnerability exists in Panabit PAP-XM320 up to and including V7.7. The web management interface invokes the backend helper /usr/sbin/pappiw and passes user-controlled parameters to it. The helper performs unsafe argument processing using eval, which allows command injection when attacker-controlled input is included in the arguments. As a result, an authenticated remote attacker with access to the management interface may execute arbitrary shell commands.

AnalysisAI

Command injection in Panabit PAP-XM320 firmware up to and including V7.7 enables authenticated remote attackers with management interface access to execute arbitrary shell commands on the underlying OS. The web management interface passes user-controlled input to the backend helper /usr/sbin/pappiw, which processes arguments via eval - a classic CWE-78 pattern that causes attacker-supplied shell metacharacters to be interpreted as commands. No public exploit has been confirmed at time of analysis and this CVE is not listed in the CISA KEV catalog, though a researcher disclosure page is referenced.

Technical ContextAI

The affected product is the Panabit PAP-XM320, a network appliance whose web management interface delegates parameter handling to the backend binary /usr/sbin/pappiw. The root cause is CWE-78 (Improper Neutralization of Special Elements used in an OS Command): the helper uses the shell built-in eval to process its arguments, which causes any attacker-controlled string embedded in those arguments to be expanded and executed as a shell command rather than treated as data. This is a well-understood injection class - eval in shell scripts is inherently unsafe when processing external input because it collapses the boundary between data and code. CPE data in available sources is unpopulated (cpe:2.3:a:n/a:n/a), so precise version enumeration relies solely on the CVE description citing V7.7 as the ceiling version. The ENISA EUVD record EUVD-2026-30951 corroborates the MITRE assignment.

RemediationAI

No specific patched firmware version has been identified in available data. Organizations should consult the Panabit vendor site at https://www.panabit.com/ and the NVD advisory at https://nvd.nist.gov/vuln/detail/CVE-2026-36827 for firmware update availability. As compensating controls pending a vendor patch: restrict access to the PAP-XM320 web management interface to a dedicated management VLAN or specific trusted administrator IP ranges using ACLs or firewall rules - this directly eliminates network reachability for unauthorized users and reduces the attack surface to insiders or VPN-connected administrators only. If remote web management is not operationally required, disable it entirely. Enforce strong, unique credentials for all management accounts to raise the barrier for credential-based exploitation. Audit management interface logs for anomalous parameter values containing shell metacharacters (semicolons, backticks, dollar signs, pipes). Note that restricting network access does not eliminate the vulnerability - it only reduces exposure until a firmware patch is applied.

More in N A

View all
CVE-2026-31072 CRITICAL POC
9.8 May 19

Remote code execution in APScheduler (all versions through 3.10.x and 4.0.0a5) is achievable when applications deseriali

CVE-2026-36356 CRITICAL POC
9.1 May 05

Unauthenticated remote OS command injection in MeiG Smart FORGE_SLT711 cellular gateway firmware MDM9607.LE.1.0-00110-ST

CVE-2026-31071 CRITICAL POC
9.1 May 19

Unauthenticated API access in LalanaChami Pharmacy Management System (commit 5c3d028) allows remote attackers to dump al

CVE-2025-66391 HIGH POC
8.8 Jun 17

In Citrix Cloud through 2025-11-10, an account with read-only access can trigger the beginning of a workflow for write o

CVE-2026-26740 HIGH POC
8.2 Mar 18

Giflib 5.2.2 contains a buffer overflow in the EGifGCBToExtension function that fails to validate allocated memory when

CVE-2025-60464 HIGH POC
7.8 Jun 25

Denial of service in GPAC's MP4Box multimedia tool (versions before 26.02.0) arises from a use-after-free in the gf_sei_

CVE-2026-36355 HIGH POC
7.7 May 05

Arbitrary kernel memory read/write in Realtek rtl819x Jungle SDK Wi-Fi driver allows local unprivileged attackers to acc

CVE-2025-60474 HIGH POC
7.5 Jun 24

Denial of service in GPAC's MP4Box/libgpac media importer (versions before 26.02.0) lets an attacker crash the tool by s

CVE-2026-38639 HIGH POC
7.5 Jun 26

An issue in the parse_month function (/time/strptime.rs) of relibc commit ab6a2e allows attackers to cause a Denial of S

CVE-2026-38641 HIGH POC
7.5 Jun 26

Denial of service in relibc (the Redox OS C standard library) at commit 61f42d allows attackers to crash a process by ge

CVE-2026-38637 HIGH POC
7.5 Jun 25

An issue in the pthread_rwlockattr_setpshared() function of relibc commit 61f42d allows attackers to cause a Denial of S

CVE-2026-38640 HIGH POC
7.5 Jun 25

Denial of service in relibc (the Redox OS C standard library implementation, commit 61f42d) lets attackers crash a proce

Share

CVE-2026-36827 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy