Skip to main content

Pandora FMS EUVDEUVD-2026-29495

| CVE-2026-30807 HIGH
Cross-Site Request Forgery (CSRF) (CWE-352)
2026-05-12 PandoraFMS GHSA-x5vj-9j33-4gff
7.1
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
7.1 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:N/AU:N/R:U/V:C/RE:L/U:Amber

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:N/AU:N/R:U/V:C/RE:L/U:Amber
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
P
Scope
N

Lifecycle Timeline

3
Analysis Generated
May 12, 2026 - 16:32 vuln.today
CVSS changed
May 12, 2026 - 16:22 NVD
7.1 (HIGH)
CVE Published
May 12, 2026 - 15:11 nvd
HIGH 7.1

DescriptionCVE.org

Cross-Site Request Forgery vulnerability allows an attacker to perform unauthorized actions via crafted web page. This issue affects Pandora FMS: from 777 through 800

AnalysisAI

Cross-Site Request Forgery in Pandora FMS versions 777 through 800 enables attackers to execute unauthorized administrative actions through victim interaction with malicious web pages. The network-accessible attack requires no authentication but depends on user interaction (CVSS AV:N/PR:N/UI:P), allowing high integrity impact (VI:H) with limited confidentiality exposure (VC:L). No active exploitation confirmed (CISA KEV not listed), EPSS data not available for assessment. Vendor Pandora FMS has acknowledged the vulnerability with public disclosure.

Technical ContextAI

This vulnerability stems from insufficient CSRF protections (CWE-352) in Pandora FMS, an open-source network monitoring platform. CSRF attacks exploit the trust a web application has in authenticated user browsers by forcing victims to submit state-changing requests without their knowledge. The affected cpe:2.3:a:pandora_fms:pandora_fms applies to versions 777-800, indicating a sustained weakness across multiple releases. Pandora FMS uses PHP-based session management for administrative interfaces; without proper anti-CSRF tokens or SameSite cookie attributes, authenticated admin sessions become vulnerable to forged requests originating from attacker-controlled domains. The CVSS 4.0 vector indicates network attack delivery (AV:N) with low complexity (AC:L), meaning exploitation requires only standard web techniques like HTML forms or JavaScript within attacker-hosted pages.

RemediationAI

Upgrade to Pandora FMS version 801 or later if available, as versions 777-800 are confirmed vulnerable and the version numbering suggests subsequent releases address this issue; verify patch status directly with the vendor advisory at https://pandorafms.com/en/security/common-vulnerabilities-and-exposures/. If immediate patching is not feasible, implement compensating controls: configure web application firewalls to validate Referer and Origin headers for administrative endpoints, rejecting requests from external domains (trade-off: may break legitimate cross-origin integrations); enable HTTP Strict-Transport-Security and deploy SameSite=Strict cookie attributes for session cookies to prevent cross-site transmission (trade-off: breaks functionality if administrators access Pandora FMS from bookmarks on different domains); restrict administrative interface access to dedicated management VLANs or VPN-only access, reducing exposure to CSRF payloads delivered via internet-sourced pages (trade-off: operational overhead for remote administration). Monitor authentication logs for unusual administrative actions coinciding with external network activity.

CVE-2024-12971 HIGH POC
8.6 Mar 17

Pandora FMS monitoring platform versions 700 through 777.6 contain a command injection vulnerability that allows OS comm

CVE-2025-5306 CRITICAL POC
9.8 Jun 27

Improper Neutralization of Special Elements in the Netflow directory field may allow OS command injection. This issue af

CVE-2025-34088 HIGH POC
8.6 Jul 03

An authenticated remote code execution vulnerability exists in Pandora FMS version 7.0NG and earlier. The net_tools.php

CVE-2020-13851 HIGH POC
8.8 Jun 11

Artica Pandora FMS 7.44 allows remote command execution via the events feature. Rated high severity (CVSS 8.8), this vul

CVE-2024-11320 MEDIUM POC
6.9 Nov 21

Arbitrary commands execution on the server by exploiting a command injection vulnerability in the LDAP authentication me

CVE-2021-34074 CRITICAL POC
9.8 Jun 25

PandoraFMS <=7.54 allows arbitrary file upload, it leading to remote command execution via the File Manager. Rated criti

CVE-2021-32099 CRITICAL POC
9.8 May 07

A SQL injection vulnerability in the pandora_console component of Artica Pandora FMS 742 allows an unauthenticated attac

CVE-2021-32098 CRITICAL POC
9.8 May 07

Artica Pandora FMS 742 allows unauthenticated attackers to perform Phar deserialization. Rated critical severity (CVSS 9

CVE-2020-26518 CRITICAL POC
9.8 Oct 02

Artica Pandora FMS before 743 allows unauthenticated attackers to conduct SQL injection attacks via the pandora_console/

CVE-2020-13854 CRITICAL POC
9.8 Jun 11

Artica Pandora FMS 7.44 allows privilege escalation. Rated critical severity (CVSS 9.8), this vulnerability is remotely

CVE-2020-11749 CRITICAL POC
9.0 Jul 13

Pandora FMS 7.0 NG <= 746 suffers from Multiple XSS vulnerabilities in different browser views. Rated critical severity

CVE-2020-13850 HIGH POC
7.5 Jun 11

Artica Pandora FMS 7.44 has inadequate access controls on a web folder. Rated high severity (CVSS 7.5), this vulnerabili

Share

EUVD-2026-29495 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy