Skip to main content

Pandora Fms EUVD-2026-21994

| CVE-2026-30812 LOW
Cross-site Scripting (XSS) (CWE-79)
2026-04-13 PandoraFMS GHSA-4g9c-4vrc-qw29
XSS Pandora Fms
2.1
CVSS 4.0 · NVD

Severity by source

NVD PRIMARY
2.1 LOW
CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:N/AU:N/R:A/V:D/RE:L/U:Amber

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:N/AU:N/R:A/V:D/RE:L/U:Amber
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
P
Scope
N

Lifecycle Timeline

5
Analysis Generated
Apr 13, 2026 - 16:44 vuln.today
CVSS changed
Apr 13, 2026 - 16:22 NVD
2.1 (LOW)
EUVD ID Assigned
Apr 13, 2026 - 16:15 euvd
EUVD-2026-21994
Analysis Generated
Apr 13, 2026 - 16:15 vuln.today
CVE Published
Apr 13, 2026 - 15:48 nvd
LOW 2.1

DescriptionCVE.org

Improper Neutralization of Input During Web Page Generation vulnerability allows Stored Cross-Site Scripting via event comments. This issue affects Pandora FMS: from 777 through 800

AnalysisAI

Stored Cross-Site Scripting (XSS) in Pandora FMS versions 777 through 800 allows authenticated users with low privileges to inject malicious scripts via event comments, which execute in the browsers of other users viewing those comments. The vulnerability has a CVSS score of 2.1 with low confidentiality and integrity impact, requiring user interaction and attack preparation time to exploit. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Authenticate to Pandora FMS
Delivery
Submit malicious JavaScript in event comment
Exploit
Comment stored in database
Execution
Administrator views event details
Persist
Injected script executes in admin browser
Impact
Session hijacked or admin actions performed
Sign in to reveal

Vulnerability AssessmentAI

Risk Assessment The CVSS v4.0 score of 2.1 reflects low real-world risk despite the XSS classification. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An authenticated user with low-level monitoring privileges submits a crafted event comment containing embedded JavaScript, such as a payload that exfiltrates session cookies. When another user (such as an administrator) views the event details page, the injected script executes in their browser, potentially capturing their session token or forcing them to perform administrative actions on behalf of the attacker. …
Remediation Upgrade Pandora FMS to a version released after 800. … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-21994 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy