Which versions of Pandora Fms are affected by EUVD-2026-21990?

Pandora FMS versions 777-800 contain an OS command injection vulnerability in the WebServerModuleDebug component that allows authenticated users with low-level privileges to execute arbitrary system…

How to fix or mitigate EUVD-2026-21990?

Within 24 hours: Identify all Pandora FMS instances running versions 777-800 in your environment and document affected systems. Restrict network and application-level access to the WebServerModuleDebug component to only essential administrative users. Within 7 days: Implement additional authentication layers or reverse-proxy controls requiring multi-factor authentication for access to affected Pandora FMS deployments. Monitor authentication logs for suspicious WebServerModuleDebug access patterns. Within 30 days: Contact Pandora FMS vendor for patch availability timeline; evaluate upgrading to version 801 or later if released, or migrating to alternative monitoring solutions if patch timeline is unacceptable.

Pandora Fms EUVD-2026-21990

Q: What is the CVSS score of EUVD-2026-21990?

EUVD-2026-21990 has a CVSS 4.0 base score of 8.7 (High). CVSS vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:L/SC:L/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:N/AU:Y/R:U/V:C/RE:M/U:Amber. EPSS exploitation probability: 0.5%.

| CVE-2026-30809 HIGH

OS Command Injection (CWE-78)

2026-04-13 PandoraFMS

GHSA-9w52-f5xp-pq4c

Command Injection Pandora Fms

8.7

CVSS 4.0 · NVD

Severity by source

NVD PRIMARY

8.7 HIGH

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:L/SC:L/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:N/AU:Y/R:U/V:C/RE:M/U:Amber

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:L/SC:L/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:N/AU:Y/R:U/V:C/RE:M/U:Amber

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Lifecycle Timeline

Re-analysis Queued

Apr 17, 2026 - 15:52 vuln.today

cvss_changed

Analysis Generated

Apr 13, 2026 - 16:42 vuln.today

CVSS changed

Apr 13, 2026 - 16:22 NVD

8.7 (HIGH)

EUVD ID Assigned

Apr 13, 2026 - 16:15 euvd

EUVD-2026-21990

Analysis Generated

Apr 13, 2026 - 16:15 vuln.today

CVE Published

Apr 13, 2026 - 15:46 nvd

HIGH 8.7

DescriptionCVE.org

Improper Neutralization of Special Elements used in an OS Command vulnerability allows OS Command Injection via WebServerModuleDebug. This issue affects Pandora FMS: from 777 through 800

AnalysisAI

OS command injection in Pandora FMS versions 777 through 800 allows authenticated remote attackers to execute arbitrary system commands via the WebServerModuleDebug component. With low attack complexity and no user interaction required, attackers with low-level privileges can achieve high confidentiality and integrity impact on the vulnerable system, plus limited impact on connected systems (CVSS 8.7). …

Unlock full vulnerability intelligence

Risk assessment & exploitation conditions
Attack chain visualization
Remediation with exact patch versions
Threat intelligence from 22 sources
Personal watchlist & email alerts

Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access

Obtain low-privilege credentials

Delivery

Access WebServerModuleDebug component

Exploit

Inject OS commands in vulnerable parameter

Execution

Execute arbitrary system commands

Impact

Exfiltrate monitoring data or pivot to connected systems