Artica Pandora Fms vulnerabilities
67 known vulnerabilities affecting artica/pandora_fms.
Total CVEs
67
CISA KEV
0
Public exploits
13
Exploited in wild
2
Severity breakdown
CRITICAL18HIGH29MEDIUM20
Vulnerabilities
Page 2 of 4
CVE-2026-34187P2CRITICALCVSS 9.8fixed in 777.17≥ 778, < 8022026-05-12
CVE-2026-34187 [CRITICAL] CWE-89 CVE-2026-34187: Improper Neutralization of Special Elements used in an SQL Command vulnerability allows SQL Injectio
Improper Neutralization of Special Elements used in an SQL Command vulnerability allows SQL Injection via graph container parameter. This issue affects Pandora FMS: from 777 through 800
nvd
CVE-2026-30809P2HIGHCVSS 8.8≥ 777, < 800.12026-04-13
CVE-2026-30809 [HIGH] CWE-78 CVE-2026-30809: Improper Neutralization of Special Elements used in an OS Command vulnerability allows OS Command In
Improper Neutralization of Special Elements used in an OS Command vulnerability allows OS Command Injection via WebServerModuleDebug. This issue affects Pandora FMS: from 777 through 800
nvd
CVE-2021-32098P2CRITICALCVSS 9.8v7422021-05-07
CVE-2021-32098 [CRITICAL] CWE-502 CVE-2021-32098: Artica Pandora FMS 742 allows unauthenticated attackers to perform Phar deserialization.
Artica Pandora FMS 742 allows unauthenticated attackers to perform Phar deserialization.
nvd
CVE-2018-11221P2CRITICALCVSS 9.8≤ 7.232018-06-16
CVE-2018-11221 [CRITICAL] CWE-434 CVE-2018-11221: Unauthenticated untrusted file upload in Artica Pandora FMS through version 7.23 allows an attacker
Unauthenticated untrusted file upload in Artica Pandora FMS through version 7.23 allows an attacker to upload an arbitrary plugin via include/ajax/update_manager.ajax in the update system.
nvd
CVE-2023-44091P3CRITICALCVSS 9.8≥ 700, < 7762024-03-19
CVE-2023-44091 [CRITICAL] CWE-89 CVE-2023-44091: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability i
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Pandora FMS on all allows SQL Injection. This ulnerability allowed SQL injections to be made even if authentication failed.This issue affects Pandora FMS: from 700 through <776.
nvd
CVE-2019-19681P3HIGHCVSS 8.8v7.02019-12-26
CVE-2019-19681 [HIGH] CWE-863 CVE-2019-19681: Pandora FMS 7.x suffers from remote code execution vulnerability. With an authenticated user who can
Pandora FMS 7.x suffers from remote code execution vulnerability. With an authenticated user who can modify the alert system, it is possible to define and execute commands as root/Administrator. NOTE: The product vendor states that the vulnerability as it is described is not in fact an actual vulnerability. They state that to be able to create alert c
nvd
CVE-2023-44092P3CRITICALCVSS 9.1≥ 700, < 7762024-03-19
CVE-2023-44092 [CRITICAL] CWE-78 CVE-2023-44092: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerabi
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability in Pandora FMS on all allows OS Command Injection. This vulnerability allowed to create a reverse shell and execute commands in the OS. This issue affects Pandora FMS: from 700 through <776.
nvd
CVE-2026-30813P3HIGHCVSS 8.8≥ 777, < 800.12026-04-13
CVE-2026-30813 [HIGH] CWE-89 CVE-2026-30813: Improper Neutralization of Special Elements used in an SQL Command vulnerability allows SQL Injectio
Improper Neutralization of Special Elements used in an SQL Command vulnerability allows SQL Injection via module search. This issue affects Pandora FMS: from 777 through 800
nvd
CVE-2023-41790P3CRITICALCVSS 9.8≥ 700, ≤ 7732023-11-23
CVE-2023-41790 [CRITICAL] CWE-427 CVE-2023-41790: Uncontrolled Search Path Element vulnerability in Pandora FMS on all allows Leveraging/Manipulating
Uncontrolled Search Path Element vulnerability in Pandora FMS on all allows Leveraging/Manipulating Configuration File Search Paths. This vulnerability allows to access the server configuration file and to compromise the database. This issue affects Pandora FMS: from 700 through 773.
nvd
CVE-2024-35305P3CRITICALCVSS 9.8≥ 700, < 7772024-06-10
CVE-2024-35305 [CRITICAL] CWE-89 CVE-2024-35305: Unauth Time-Based SQL Injection in API allows to exploit HTTP request Authorization header. This iss
Unauth Time-Based SQL Injection in API allows to exploit HTTP request Authorization header. This issue affects Pandora FMS: from 700 through <777.
nvd
CVE-2020-26518P3CRITICALCVSS 9.8fixed in 7432020-10-02
CVE-2020-26518 [CRITICAL] CWE-89 CVE-2020-26518: Artica Pandora FMS before 743 allows unauthenticated attackers to conduct SQL injection attacks via
Artica Pandora FMS before 743 allows unauthenticated attackers to conduct SQL injection attacks via the pandora_console/include/chart_generator.php session_id parameter.
nvd
CVE-2023-41812P3HIGHCVSS 8.8≥ 700, < 7742023-11-23
CVE-2023-41812 [HIGH] CWE-434 CVE-2023-41812: Unrestricted Upload of File with Dangerous Type vulnerability in Pandora FMS on all allows Accessing
Unrestricted Upload of File with Dangerous Type vulnerability in Pandora FMS on all allows Accessing Functionality Not Properly Constrained by ACLs. This vulnerability allowed PHP executable files to be uploaded through the file manager. This issue affects Pandora FMS: from 700 through 773.
nvd
CVE-2026-34186P3HIGHCVSS 8.8≥ 777, < 800.12026-04-13
CVE-2026-34186 [HIGH] CWE-89 CVE-2026-34186: Improper Neutralization of Special Elements used in an SQL Command vulnerability allows SQL Injectio
Improper Neutralization of Special Elements used in an SQL Command vulnerability allows SQL Injection via custom fields. This issue affects Pandora FMS: from 777 through 800
nvd
CVE-2026-30810P3HIGHCVSS 8.8fixed in 777.17≥ 778, < 8022026-05-12
CVE-2026-30810 [HIGH] CWE-918 CVE-2026-30810: Server-Side Request Forgery vulnerability allows Privilege Escalation via API Checker extension. Thi
Server-Side Request Forgery vulnerability allows Privilege Escalation via API Checker extension. This issue affects Pandora FMS: from 777 through 800
nvd
CVE-2023-41788P3HIGHCVSS 8.8≥ 700, < 7742023-11-23
CVE-2023-41788 [HIGH] CWE-434 CVE-2023-41788: Unrestricted Upload of File with Dangerous Type vulnerability in Pandora FMS on all allows Accessing
Unrestricted Upload of File with Dangerous Type vulnerability in Pandora FMS on all allows Accessing Functionality Not Properly Constrained by ACLs. This vulnerability allows attackers to execute code via PHP file uploads. This issue affects Pandora FMS: from 700 through 773.
nvd
CVE-2023-41807P3HIGHCVSS 8.8≥ 700, ≤ 7732023-11-23
CVE-2023-41807 [HIGH] CWE-269 CVE-2023-41807: Improper Privilege Management vulnerability in Pandora FMS on all allows Privilege Escalation. This
Improper Privilege Management vulnerability in Pandora FMS on all allows Privilege Escalation. This vulnerability allows a user to escalate permissions on the system shell. This issue affects Pandora FMS: from 700 through 773.
nvd
CVE-2026-30804P3HIGHCVSS 7.2≥ 777, < 800.12026-04-13
CVE-2026-30804 [HIGH] CWE-434 CVE-2026-30804: Unrestricted Upload of File with Dangerous Type vulnerability allows Remote Code Execution via file
Unrestricted Upload of File with Dangerous Type vulnerability allows Remote Code Execution via file upload. This issue affects Pandora FMS: from 777 through 800
nvd
CVE-2023-4677P3CRITICALCVSS 9.8≥ 700, < 7732023-11-23
CVE-2023-4677 [CRITICAL] CWE-287 CVE-2023-4677: Cron log backup files contain administrator session IDs. It is trivial for any attacker who can reac
Cron log backup files contain administrator session IDs. It is trivial for any attacker who can reach the Pandora FMS Console to scrape the cron logs directory for cron log backups. The contents of these log files can then be abused to authenticate to the application as an administrator. This issue affects Pandora FMS <= 772.
nvd
CVE-2026-34188P3HIGHCVSS 7.2≥ 777, < 800.12026-04-13
CVE-2026-34188 [HIGH] CWE-78 CVE-2026-34188: Improper Neutralization of Special Elements used in an OS Command vulnerability allows OS Command In
Improper Neutralization of Special Elements used in an OS Command vulnerability allows OS Command Injection via Event Response execution. This issue affects Pandora FMS: from 777 through 800
nvd
CVE-2020-7935P3HIGHCVSS 7.2≤ 7.422020-03-23
CVE-2020-7935 [HIGH] CWE-434 CVE-2020-7935: Artica Pandora FMS through 7.42 is vulnerable to remote PHP code execution because of an Unrestricte
Artica Pandora FMS through 7.42 is vulnerable to remote PHP code execution because of an Unrestricted Upload Of A File With A Dangerous Type issue in the File Manager. An attacker can create a (or use an existing) directory that is externally accessible to store PHP files. The filename and the exact path is known by the attacker, so it is possible to ex
nvd