CVE-2026-36828
published 2026-05-19CVE-2026-36828: A command injection vulnerability exists in the /cgi-bin/tools/ajax_cmd endpoint of Panabit PAP-XM320 up to and including v7.7. The CGI component allows…
PriorityP266high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EPSS
1.67%
73.8th percentile
A command injection vulnerability exists in the /cgi-bin/tools/ajax_cmd endpoint of Panabit PAP-XM320 up to and including v7.7. The CGI component allows authenticated users to execute arbitrary shell commands with root privileges via the action=runcmd parameter.
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-wppq-8vc8-2347: A command injection vulnerability exists in the /cgi-bin/tools/ajax_cmd endpoint of Panabit PAP-XM320 up to and including v7
ghsa_unreviewed·2026-05-19
CVE-2026-36828 [HIGH] CWE-78 GHSA-wppq-8vc8-2347: A command injection vulnerability exists in the /cgi-bin/tools/ajax_cmd endpoint of Panabit PAP-XM320 up to and including v7
A command injection vulnerability exists in the /cgi-bin/tools/ajax_cmd endpoint of Panabit PAP-XM320 up to and including v7.7. The CGI component allows authenticated users to execute arbitrary shell commands with root privileges via the action=runcmd parameter.
VulDB
Panabit PAP-XM320 up to 7.7 CGI /cgi-bin/tools/ajax_cmd command injection
vuldb·2026-05-19·CVSS 8.8
CVE-2026-36828 [HIGH] Panabit PAP-XM320 up to 7.7 CGI /cgi-bin/tools/ajax_cmd command injection
A vulnerability was found in Panabit PAP-XM320 up to 7.7 and classified as critical. Affected is an unknown function of the file /cgi-bin/tools/ajax_cmd of the component CGI Component. The manipulation results in command injection.
This vulnerability is cataloged as CVE-2026-36828. The attack may be launched remotely. There is no exploit available.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2026-05-19
Published