Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
Lifecycle Timeline
3DescriptionCVE.org
A command injection vulnerability exists in Panabit PAP-XM320 up to and including V7.7. The web management interface invokes the backend helper /usr/sbin/pappiw and passes user-controlled parameters to it. The helper performs unsafe argument processing using eval, which allows command injection when attacker-controlled input is included in the arguments. As a result, an authenticated remote attacker with access to the management interface may execute arbitrary shell commands.
AnalysisAI
Command injection in Panabit PAP-XM320 firmware up to and including V7.7 enables authenticated remote attackers with management interface access to execute arbitrary shell commands on the underlying OS. The web management interface passes user-controlled input to the backend helper /usr/sbin/pappiw, which processes arguments via eval - a classic CWE-78 pattern that causes attacker-supplied shell metacharacters to be interpreted as commands. No public exploit has been confirmed at time of analysis and this CVE is not listed in the CISA KEV catalog, though a researcher disclosure page is referenced.
Technical ContextAI
The affected product is the Panabit PAP-XM320, a network appliance whose web management interface delegates parameter handling to the backend binary /usr/sbin/pappiw. The root cause is CWE-78 (Improper Neutralization of Special Elements used in an OS Command): the helper uses the shell built-in eval to process its arguments, which causes any attacker-controlled string embedded in those arguments to be expanded and executed as a shell command rather than treated as data. This is a well-understood injection class - eval in shell scripts is inherently unsafe when processing external input because it collapses the boundary between data and code. CPE data in available sources is unpopulated (cpe:2.3:a:n/a:n/a), so precise version enumeration relies solely on the CVE description citing V7.7 as the ceiling version. The ENISA EUVD record EUVD-2026-30951 corroborates the MITRE assignment.
RemediationAI
No specific patched firmware version has been identified in available data. Organizations should consult the Panabit vendor site at https://www.panabit.com/ and the NVD advisory at https://nvd.nist.gov/vuln/detail/CVE-2026-36827 for firmware update availability. As compensating controls pending a vendor patch: restrict access to the PAP-XM320 web management interface to a dedicated management VLAN or specific trusted administrator IP ranges using ACLs or firewall rules - this directly eliminates network reachability for unauthorized users and reduces the attack surface to insiders or VPN-connected administrators only. If remote web management is not operationally required, disable it entirely. Enforce strong, unique credentials for all management accounts to raise the barrier for credential-based exploitation. Audit management interface logs for anomalous parameter values containing shell metacharacters (semicolons, backticks, dollar signs, pipes). Note that restricting network access does not eliminate the vulnerability - it only reduces exposure until a firmware patch is applied.
Remote code execution in APScheduler (all versions through 3.10.x and 4.0.0a5) is achievable when applications deseriali
Unauthenticated remote OS command injection in MeiG Smart FORGE_SLT711 cellular gateway firmware MDM9607.LE.1.0-00110-ST
Unauthenticated API access in LalanaChami Pharmacy Management System (commit 5c3d028) allows remote attackers to dump al
In Citrix Cloud through 2025-11-10, an account with read-only access can trigger the beginning of a workflow for write o
Giflib 5.2.2 contains a buffer overflow in the EGifGCBToExtension function that fails to validate allocated memory when
Denial of service in GPAC's MP4Box multimedia tool (versions before 26.02.0) arises from a use-after-free in the gf_sei_
Arbitrary kernel memory read/write in Realtek rtl819x Jungle SDK Wi-Fi driver allows local unprivileged attackers to acc
Denial of service in GPAC's MP4Box/libgpac media importer (versions before 26.02.0) lets an attacker crash the tool by s
An issue in the parse_month function (/time/strptime.rs) of relibc commit ab6a2e allows attackers to cause a Denial of S
Denial of service in relibc (the Redox OS C standard library) at commit 61f42d allows attackers to crash a process by ge
An issue in the pthread_rwlockattr_setpshared() function of relibc commit 61f42d allows attackers to cause a Denial of S
Denial of service in relibc (the Redox OS C standard library implementation, commit 61f42d) lets attackers crash a proce
Same weakness CWE-78 – OS Command Injection
View allSame technique Command Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-30951
GHSA-56xv-fjpq-3r4m