Skip to main content

Pandora FMS EUVDEUVD-2026-29497

| CVE-2026-30810 HIGH
Server-Side Request Forgery (SSRF) (CWE-918)
2026-05-12 PandoraFMS GHSA-xvxp-pj7j-gmjj
7.1
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
7.1 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:L/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:N/AU:Y/R:U/V:C/RE:M/U:Amber

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:L/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:N/AU:Y/R:U/V:C/RE:M/U:Amber
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
N

Lifecycle Timeline

3
Analysis Generated
May 12, 2026 - 16:33 vuln.today
CVSS changed
May 12, 2026 - 16:22 NVD
7.1 (HIGH)
CVE Published
May 12, 2026 - 15:12 nvd
HIGH 7.1

DescriptionCVE.org

Server-Side Request Forgery vulnerability allows Privilege Escalation via API Checker extension. This issue affects Pandora FMS: from 777 through 800

AnalysisAI

Server-Side Request Forgery (SSRF) in Pandora FMS versions 777-800 enables authenticated attackers to escalate privileges through the API Checker extension. Attackers with low-privilege network access can force the server to make arbitrary requests, potentially accessing internal resources and escalating to higher confidentiality impact (CVSS VC:H). EPSS data not available; no confirmed active exploitation (not in CISA KEV). Vendor has acknowledged the issue per PandoraFMS security advisory, indicating patch development is likely underway.

Technical ContextAI

This vulnerability affects the API Checker extension in Pandora FMS (Flexible Monitoring System), an enterprise monitoring platform. The flaw is classified as CWE-918 (Server-Side Request Forgery), where insufficient validation allows authenticated users to manipulate server-side HTTP requests. The SSRF occurs when the API Checker extension fails to properly sanitize or restrict target URLs, enabling attackers to abuse the server's trust relationships to access internal services, cloud metadata endpoints (e.g., AWS IMDSv1), or bypass network segmentation. The CPE string (cpe:2.3:a:pandora_fms:pandora_fms:*:*:*:*:*:*:*:*) indicates all deployment types across versions 777-800 are vulnerable, representing approximately 23 version releases of the platform.

RemediationAI

Consult the official Pandora FMS security advisory at https://pandorafms.com/en/security/common-vulnerabilities-and-exposures/ for patch availability and specific remediation guidance. Vendor-released patch availability not independently confirmed from available data - contact Pandora FMS support for update timeline to versions beyond 800. Immediate compensating controls: (1) Restrict network access to the API Checker extension interface to trusted administrator IPs only via firewall rules or reverse proxy ACLs, reducing attack surface but limiting legitimate remote administration capabilities. (2) Implement egress filtering on the Pandora FMS server to block outbound requests to RFC1918 private ranges (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16), link-local addresses (169.254.0.0/16), and cloud metadata endpoints (169.254.169.254) - this prevents internal reconnaissance but may break legitimate monitoring of internal APIs if API Checker is used for that purpose. (3) Review and reduce privileges of Pandora FMS user accounts to minimum necessary, limiting the population of PR:L accounts that can exploit the vulnerability. (4) Enable detailed logging for API Checker extension usage and monitor for unusual destination URLs or high-frequency requests indicating exploitation attempts.

CVE-2024-12971 HIGH POC
8.6 Mar 17

Pandora FMS monitoring platform versions 700 through 777.6 contain a command injection vulnerability that allows OS comm

CVE-2025-5306 CRITICAL POC
9.8 Jun 27

Improper Neutralization of Special Elements in the Netflow directory field may allow OS command injection. This issue af

CVE-2025-34088 HIGH POC
8.6 Jul 03

An authenticated remote code execution vulnerability exists in Pandora FMS version 7.0NG and earlier. The net_tools.php

CVE-2020-13851 HIGH POC
8.8 Jun 11

Artica Pandora FMS 7.44 allows remote command execution via the events feature. Rated high severity (CVSS 8.8), this vul

CVE-2024-11320 MEDIUM POC
6.9 Nov 21

Arbitrary commands execution on the server by exploiting a command injection vulnerability in the LDAP authentication me

CVE-2021-34074 CRITICAL POC
9.8 Jun 25

PandoraFMS <=7.54 allows arbitrary file upload, it leading to remote command execution via the File Manager. Rated criti

CVE-2021-32099 CRITICAL POC
9.8 May 07

A SQL injection vulnerability in the pandora_console component of Artica Pandora FMS 742 allows an unauthenticated attac

CVE-2021-32098 CRITICAL POC
9.8 May 07

Artica Pandora FMS 742 allows unauthenticated attackers to perform Phar deserialization. Rated critical severity (CVSS 9

CVE-2020-26518 CRITICAL POC
9.8 Oct 02

Artica Pandora FMS before 743 allows unauthenticated attackers to conduct SQL injection attacks via the pandora_console/

CVE-2020-13854 CRITICAL POC
9.8 Jun 11

Artica Pandora FMS 7.44 allows privilege escalation. Rated critical severity (CVSS 9.8), this vulnerability is remotely

CVE-2020-11749 CRITICAL POC
9.0 Jul 13

Pandora FMS 7.0 NG <= 746 suffers from Multiple XSS vulnerabilities in different browser views. Rated critical severity

CVE-2020-13850 HIGH POC
7.5 Jun 11

Artica Pandora FMS 7.44 has inadequate access controls on a web folder. Rated high severity (CVSS 7.5), this vulnerabili

Share

EUVD-2026-29497 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy