CVE-2026-36829
published 2026-05-19CVE-2026-36829: An authentication bypass vulnerability exists in the embedded HTTP server of Panabit PAP-XM320 up to and including v7.7. The server validates session cookies…
PriorityP269critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
1.27%
66.1th percentile
An authentication bypass vulnerability exists in the embedded HTTP server of Panabit PAP-XM320 up to and including v7.7. The server validates session cookies using a filesystem existence check based on a user-controlled cookie value without proper sanitization, allowing directory traversal and bypass of authentication.
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-xh8m-w9h2-4fc7: An authentication bypass vulnerability exists in the embedded HTTP server of Panabit PAP-XM320 up to and including v7
ghsa_unreviewed·2026-05-19
CVE-2026-36829 [CRITICAL] CWE-22 GHSA-xh8m-w9h2-4fc7: An authentication bypass vulnerability exists in the embedded HTTP server of Panabit PAP-XM320 up to and including v7
An authentication bypass vulnerability exists in the embedded HTTP server of Panabit PAP-XM320 up to and including v7.7. The server validates session cookies using a filesystem existence check based on a user-controlled cookie value without proper sanitization, allowing directory traversal and bypass of authentication.
VulDB
Panabit PAP-XM320 up to 7.7 Embedded HTTP Server path traversal
vuldb·2026-05-19·CVSS 9.8
CVE-2026-36829 [CRITICAL] Panabit PAP-XM320 up to 7.7 Embedded HTTP Server path traversal
A vulnerability, which was classified as critical, has been found in Panabit PAP-XM320 up to 7.7. Affected is an unknown function of the component Embedded HTTP Server. The manipulation leads to path traversal.
This vulnerability is referenced as CVE-2026-36829. Remote exploitation of the attack is possible. No exploit is available.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2026-05-19
Published