Skip to main content

Panorama Suite CVE-2026-4760

| EUVDEUVD-2026-15402 HIGH
Files or Directories Accessible to External Parties (CWE-552)
2026-03-25 CODRA GHSA-46v5-gpch-77vw
7.7
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
7.7 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:Red

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:Red
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

3
EUVD ID Assigned
Mar 25, 2026 - 12:45 euvd
EUVD-2026-15402
Analysis Generated
Mar 25, 2026 - 12:45 vuln.today
CVE Published
Mar 25, 2026 - 12:29 nvd
HIGH 7.7

DescriptionCVE.org

From Panorama Web HMI, an attacker can gain read access to certain Web HMI server files, if he knows their paths and if these files are accessible to the Servin process execution account.

  • Installations based on Panorama Suite 2022-SP1 (22.50.005) are vulnerable unless update PS-2210-02-4079 (or higher) is installed
  • Installations based on Panorama Suite 2023 (23.00.004) are vulnerable

unless updates PS-2300-03-3078 (or higher) and PS-2300-04-3078 (or higher) and PS-2300-82-3078

(or higher)

are installed

  • Installations based on Panorama Suite 2025 (25.00.016)

are vulnerable unless updates PS-2500-02-1078 (or higher) and PS-2500-04-1078 (or higher) are installed

  • Installations based on Panorama Suite 2025 Updated Dec. 25 (25.10.007)

are vulnerable unless updates PS-2510-02-1077 (or higher) and PS-2510-04-1077 (or higher)

are installed

Please refer to security bulletin BS-035, available on the Panorama CSIRT website:  https://my.codra.net/en-gb/csirt .

AnalysisAI

Panorama Web HMI contains a path traversal vulnerability (CWE-552) that allows unauthenticated remote attackers to read arbitrary server files if their paths are known and accessible to the service account. The vulnerability affects Panorama Suite versions 2022-SP1, 2023, and 2025 installations, requiring specific security updates to remediate. Currently no patch is available for the latest affected versions.

Technical ContextAI

This vulnerability affects CODRA Panorama Suite (CPE: cpe:2.3:a:codra:panorama_suite), a Web HMI (Human-Machine Interface) solution used in industrial control and SCADA environments. The root cause is classified as CWE-552 (Files or Directories Accessible to External Parties), indicating improper access control on file system resources. The Panorama Web HMI component fails to properly validate or restrict file access requests, allowing attackers to traverse directories and read files that the Servin process has permissions to access. This type of vulnerability typically results from insufficient input validation on file path parameters or missing authorization checks before serving file content through web endpoints.

RemediationAI

Apply the appropriate security updates for your Panorama Suite version: for 2022-SP1 systems install update PS-2210-02-4079 or higher, for 2023 systems install updates PS-2300-03-3078, PS-2300-04-3078, and PS-2300-82-3078 or higher, for 2025 (25.00.016) systems install updates PS-2500-02-1078 and PS-2500-04-1078 or higher, and for 2025 Updated Dec. 25 (25.10.007) systems install updates PS-2510-02-1077 and PS-2510-04-1077 or higher. Consult CODRA security bulletin BS-035 at https://my.codra.net/en-gb/csirt for complete patching instructions and download links. As interim mitigations until patching can be completed, restrict network access to the Panorama Web HMI interface to trusted IP ranges only, implement network segmentation to isolate HMI systems from untrusted networks, and review file system permissions for the Servin process account to minimize the scope of accessible sensitive files.

Share

CVE-2026-4760 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy