Skip to main content

Panabit PAP-XM320 EUVD-2026-30951

| CVE-2026-36827 MEDIUM
OS Command Injection (CWE-78)
2026-05-19 mitre GHSA-56xv-fjpq-3r4m
Command Injection N A
5.4
CVSS 3.1
Share

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

3
Analysis Generated
May 19, 2026 - 19:23 vuln.today
CVSS changed
May 19, 2026 - 19:22 NVD
5.4 (MEDIUM)
CVE Published
May 19, 2026 - 00:00 nvd
UNKNOWN (no severity yet)

DescriptionNVD

A command injection vulnerability exists in Panabit PAP-XM320 up to and including V7.7. The web management interface invokes the backend helper /usr/sbin/pappiw and passes user-controlled parameters to it. The helper performs unsafe argument processing using eval, which allows command injection when attacker-controlled input is included in the arguments. As a result, an authenticated remote attacker with access to the management interface may execute arbitrary shell commands.

AnalysisAI

Command injection in Panabit PAP-XM320 firmware up to and including V7.7 enables authenticated remote attackers with management interface access to execute arbitrary shell commands on the underlying OS. The web management interface passes user-controlled input to the backend helper /usr/sbin/pappiw, which processes arguments via eval - a classic CWE-78 pattern that causes attacker-supplied shell metacharacters to be interpreted as commands. …

Sign in for full analysis, threat intelligence, and remediation guidance.

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

Sign in - Free

Share

EUVD-2026-30951 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy