Artica Pandora Fms vulnerabilities
67 known vulnerabilities affecting artica/pandora_fms.
Total CVEs
67
CISA KEV
0
Public exploits
13
Exploited in wild
2
Severity breakdown
CRITICAL18HIGH29MEDIUM20
Vulnerabilities
Page 1 of 4
CVE-2020-8497P2MEDIUMCVSS 5.3ExploitedPoC≤ 7.422020-03-23
CVE-2020-8497 [MEDIUM] CWE-306 CVE-2020-8497: In Artica Pandora FMS through 7.42, an unauthenticated attacker can read the chat history. The file
In Artica Pandora FMS through 7.42, an unauthenticated attacker can read the chat history. The file is in JSON format and it contains user names, user IDs, private messages, and timestamps.
nvd
CVE-2018-11222P2HIGHCVSS 7.5ExploitedPoC≤ 7.232018-06-16
CVE-2018-11222 [HIGH] CWE-20 CVE-2018-11222: Local File Inclusion (LFI) in Artica Pandora FMS through version 7.23 allows an attacker to call any
Local File Inclusion (LFI) in Artica Pandora FMS through version 7.23 allows an attacker to call any php file via the /pandora_console/ajax.php ajax endpoint.
nvd
CVE-2024-12971P2HIGHCVSS 8.8PoC≥ 700, < 777.82025-03-17
CVE-2024-12971 [HIGH] CWE-77 CVE-2024-12971: Improper Neutralization of Special Elements used in a Command vulnerability allows OS Command Inject
Improper Neutralization of Special Elements used in a Command vulnerability allows OS Command Injection.This issue affects Pandora FMS from 700 to 777.6
nvd
CVE-2010-4279P2CRITICALCVSS 10.0PoC≤ 3.1v1.2+7 more2010-12-02
CVE-2010-4279 [CRITICAL] CWE-287 CVE-2010-4279: The default configuration of Pandora FMS 3.1 and earlier specifies an empty string for the loginhash
The default configuration of Pandora FMS 3.1 and earlier specifies an empty string for the loginhash_pwd field, which allows remote attackers to bypass authentication by sending a request to index.php with "admin" in the loginhash_user parameter, in conjunction with the md5 hash of "admin" in the loginhash_data parameter.
nvd
CVE-2025-5306P1CRITICALCVSS 9.8PoC≥ 774, ≤ 7782025-06-27
CVE-2025-5306 [CRITICAL] CWE-77 CVE-2025-5306: Improper Neutralization of Special Elements in the Netflow directory field may allow OS command inje
Improper Neutralization of Special Elements in the Netflow directory field may allow OS command injection. This issue affects Pandora FMS 774 through 778
nvd
CVE-2019-20224P2HIGHCVSS 8.8PoCv7.0_ng2020-01-09
CVE-2019-20224 [HIGH] CWE-78 CVE-2019-20224: netflow_get_stats in functions_netflow.php in Pandora FMS 7.0NG allows remote authenticated users to
netflow_get_stats in functions_netflow.php in Pandora FMS 7.0NG allows remote authenticated users to execute arbitrary OS commands via shell metacharacters in the ip_src parameter in an index.php?operation/netflow/nf_live_view request. This issue has been fixed in Pandora FMS 7.0 NG 742.
nvd
CVE-2020-8947P2HIGHCVSS 7.2PoCv7.02020-02-12
CVE-2020-8947 [HIGH] CVE-2020-8947: functions_netflow.php in Artica Pandora FMS 7.0 allows remote attackers to execute arbitrary OS comm
functions_netflow.php in Artica Pandora FMS 7.0 allows remote attackers to execute arbitrary OS commands via shell metacharacters in the index.php?operation/netflow/nf_live_view ip_dst, dst_port, or src_port parameter, a different vulnerability than CVE-2019-20224.
nvd
CVE-2020-5844P2HIGHCVSS 7.2PoCv7.0_ng2020-03-16
CVE-2020-5844 [HIGH] CWE-434 CVE-2020-5844: index.php?sec=godmode/extensions&sec2=extensions/files_repo in Pandora FMS v7.0 NG allows authentica
index.php?sec=godmode/extensions&sec2=extensions/files_repo in Pandora FMS v7.0 NG allows authenticated administrators to upload malicious PHP scripts, and execute them via base64 decoding of the file location. This affects v7.0NG.742_FIX_PERL2020.
nvd
CVE-2010-4278P2CRITICALCVSS 9.0PoC≤ 3.1v1.2+7 more2010-12-02
CVE-2010-4278 [CRITICAL] CWE-78 CVE-2010-4278: operation/agentes/networkmap.php in Pandora FMS before 3.1.1 allows remote authenticated users to ex
operation/agentes/networkmap.php in Pandora FMS before 3.1.1 allows remote authenticated users to execute arbitrary commands via shell metacharacters in the layout parameter in an operation/agentes/networkmap action to index.php.
nvd
CVE-2010-4282P3HIGHCVSS 7.5PoC≤ 3.1v1.2+7 more2010-12-02
CVE-2010-4282 [HIGH] CWE-22 CVE-2010-4282: Multiple directory traversal vulnerabilities in Pandora FMS before 3.1.1 allow remote attackers to i
Multiple directory traversal vulnerabilities in Pandora FMS before 3.1.1 allow remote attackers to include and execute arbitrary local files via (1) the page parameter to ajax.php or (2) the id parameter to general/pandora_help.php, and allow remote attackers to include and execute, create, modify, or delete arbitrary local files via (3) the layout param
nvd
CVE-2010-4281P3HIGHCVSS 7.5PoC≤ 3.1v1.2+7 more2010-12-02
CVE-2010-4281 [HIGH] CWE-94 CVE-2010-4281: Incomplete blacklist vulnerability in the safe_url_extraclean function in ajax.php in Pandora FMS be
Incomplete blacklist vulnerability in the safe_url_extraclean function in ajax.php in Pandora FMS before 3.1.1 allows remote attackers to execute arbitrary PHP code by using a page parameter containing a UNC share pathname, which bypasses the check for the : (colon) character.
nvd
CVE-2010-4283P3HIGHCVSS 7.5PoC≤ 3.1v1.2+7 more2010-12-02
CVE-2010-4283 [HIGH] CWE-94 CVE-2010-4283: PHP remote file inclusion vulnerability in extras/pandora_diag.php in Pandora FMS before 3.1.1 allow
PHP remote file inclusion vulnerability in extras/pandora_diag.php in Pandora FMS before 3.1.1 allows remote attackers to execute arbitrary PHP code via a URL in the argv[1] parameter.
nvd
CVE-2021-32099P2CRITICALCVSS 9.8v7422021-05-07
CVE-2021-32099 [CRITICAL] CWE-89 CVE-2021-32099: A SQL injection vulnerability in the pandora_console component of Artica Pandora FMS 742 allows an u
A SQL injection vulnerability in the pandora_console component of Artica Pandora FMS 742 allows an unauthenticated attacker to upgrade his unprivileged session via the /include/chart_generator.php session_id parameter, leading to a login bypass.
nvd
CVE-2010-4280P3HIGHCVSS 7.5PoC≤ 3.1v1.2+7 more2010-12-02
CVE-2010-4280 [HIGH] CWE-89 CVE-2010-4280: Multiple SQL injection vulnerabilities in Pandora FMS before 3.1.1 allow remote authenticated users
Multiple SQL injection vulnerabilities in Pandora FMS before 3.1.1 allow remote authenticated users to execute arbitrary SQL commands via (1) the id_group parameter in an operation/agentes/ver_agente action to ajax.php or (2) the group_id parameter in an operation/agentes/estado_agente action to index.php, related to operation/agentes/estado_agente.php.
nvd
CVE-2024-35306P2CRITICALCVSS 9.8≥ 700, < 7772024-06-10
CVE-2024-35306 [CRITICAL] CWE-78 CVE-2024-35306: OS Command injection in Ajax PHP files via HTTP Request, allows to execute system commands by exploi
OS Command injection in Ajax PHP files via HTTP Request, allows to execute system commands by exploiting variables. This issue affects Pandora FMS: from 700 through <777.
nvd
CVE-2026-30805P2CRITICALCVSS 9.1fixed in 777.17≥ 778, < 8022026-05-12
CVE-2026-30805 [CRITICAL] CWE-1188 CVE-2026-30805: Insecure Default Initialization of Resource vulnerability allows Authentication Bypass via API acces
Insecure Default Initialization of Resource vulnerability allows Authentication Bypass via API access. This issue affects Pandora FMS: from 777 through 800
nvd
CVE-2024-35307P2CRITICALCVSS 9.8≥ 700, < 7772024-06-10
CVE-2024-35307 [CRITICAL] CWE-88 CVE-2024-35307: Argument Injection Leading to Remote Code Execution in Realtime Graph Extension, allowing unauthenti
Argument Injection Leading to Remote Code Execution in Realtime Graph Extension, allowing unauthenticated attackers to execute arbitrary code on the server. This issue affects Pandora FMS: from 700 through <777.
nvd
CVE-2024-12992P2CRITICALCVSS 9.8≥ 700, < 777.82025-03-17
CVE-2024-12992 [CRITICAL] CWE-77 CVE-2024-12992: Improper Neutralization of Special Elements used in a Command vulnerability allows OS Command Inject
Improper Neutralization of Special Elements used in a Command vulnerability allows OS Command Injection via RCE.
This issue affects Pandora FMS from 700 to 777.6
.
nvd
CVE-2024-35304P2CRITICALCVSS 9.8≥ 700, < 7772024-06-10
CVE-2024-35304 [CRITICAL] CWE-78 CVE-2024-35304: System command injection through Netflow function due to improper input validation, allowing attacke
System command injection through Netflow function due to improper input validation, allowing attackers to execute arbitrary system commands. This issue affects Pandora FMS: from 700 through <777.
nvd
CVE-2026-30806P2HIGHCVSS 8.8≥ 777, < 800.12026-04-13
CVE-2026-30806 [HIGH] CWE-78 CVE-2026-30806: Improper Neutralization of Special Elements used in an OS Command vulnerability allows OS Command In
Improper Neutralization of Special Elements used in an OS Command vulnerability allows OS Command Injection via Network Report. This issue affects Pandora FMS: from 777 through 800
nvd
1 / 4Next →