Every CVE whose affected-product data names Artica Pandora Fms, ordered by CVSS severity, with EPSS exploit prediction and CISA KEV status.
CVEs (67)
CVE-2010-4279 — CVSS 10.0 (critical): The default configuration of Pandora FMS 3.1 and earlier specifies an empty string for the loginhash_pwd field, which allows remote…
CVE-2021-32099 — CVSS 9.8 (critical): A SQL injection vulnerability in the pandora_console component of Artica Pandora FMS 742 allows an unauthenticated attacker to upgrade his…
CVE-2026-34187 — CVSS 9.8 (critical): Improper Neutralization of Special Elements used in an SQL Command vulnerability allows SQL Injection via graph container parameter. This…
CVE-2024-35305 — CVSS 9.8 (critical): Unauth Time-Based SQL Injection in API allows to exploit HTTP request Authorization header. This issue affects Pandora FMS: from 700…
CVE-2024-35304 — CVSS 9.8 (critical): System command injection through Netflow function due to improper input validation, allowing attackers to execute arbitrary system…
CVE-2020-26518 — CVSS 9.8 (critical): Artica Pandora FMS before 743 allows unauthenticated attackers to conduct SQL injection attacks via the pandora_console/include/chart_genera…
CVE-2024-35306 — CVSS 9.8 (critical): OS Command injection in Ajax PHP files via HTTP Request, allows to execute system commands by exploiting variables. This issue affects…
CVE-2024-35307 — CVSS 9.8 (critical): Argument Injection Leading to Remote Code Execution in Realtime Graph Extension, allowing unauthenticated attackers to execute arbitrary…
CVE-2025-5306 — CVSS 9.8 (critical): Improper Neutralization of Special Elements in the Netflow directory field may allow OS command injection. This issue affects Pandora FMS…
CVE-2024-12992 — CVSS 9.8 (critical): Improper Neutralization of Special Elements used in a Command vulnerability allows OS Command Injection via RCE. This issue affects Pandora…
CVE-2018-11221 — CVSS 9.8 (critical): Unauthenticated untrusted file upload in Artica Pandora FMS through version 7.23 allows an attacker to upload an arbitrary plugin via…
CVE-2023-41807 — CVSS 9.1 (critical): Improper Privilege Management vulnerability in Pandora FMS on all allows Privilege Escalation. This vulnerability allows a user to escalate…
CVE-2026-30805 — CVSS 9.1 (critical): Insecure Default Initialization of Resource vulnerability allows Authentication Bypass via API access. This issue affects Pandora FMS: from…
CVE-2010-4278 — CVSS 9.0 (critical): operation/agentes/networkmap.php in Pandora FMS before 3.1.1 allows remote authenticated users to execute arbitrary commands via shell…
CVE-2026-30807 — CVSS 8.8 (high): Cross-Site Request Forgery vulnerability allows an attacker to perform unauthorized actions via crafted web page. This issue affects…
CVE-2024-12971 — CVSS 8.8 (high): Improper Neutralization of Special Elements used in a Command vulnerability allows OS Command Injection.This issue affects Pandora FMS from…
CVE-2026-34186 — CVSS 8.8 (high): Improper Neutralization of Special Elements used in an SQL Command vulnerability allows SQL Injection via custom fields. This issue affects…
CVE-2026-30813 — CVSS 8.8 (high): Improper Neutralization of Special Elements used in an SQL Command vulnerability allows SQL Injection via module search. This issue affects…
CVE-2019-19681 — CVSS 8.8 (high): Pandora FMS 7.x suffers from remote code execution vulnerability. With an authenticated user who can modify the alert system, it is…
CVE-2026-30810 — CVSS 8.8 (high): Server-Side Request Forgery vulnerability allows Privilege Escalation via API Checker extension. This issue affects Pandora FMS: from 777…
CVE-2019-20224 — CVSS 8.8 (high): netflow_get_stats in functions_netflow.php in Pandora FMS 7.0NG allows remote authenticated users to execute arbitrary OS commands via…
CVE-2026-30809 — CVSS 8.8 (high): Improper Neutralization of Special Elements used in an OS Command vulnerability allows OS Command Injection via WebServerModuleDebug. This…
CVE-2026-30806 — CVSS 8.8 (high): Improper Neutralization of Special Elements used in an OS Command vulnerability allows OS Command Injection via Network Report. This issue…
CVE-2023-41808 — CVSS 8.5 (high): Improper Privilege Management vulnerability in Pandora FMS on all allows Privilege Escalation. This vulnerability allows an unauthorised…
CVE-2023-41791 — CVSS 8.4 (high): Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Pandora FMS on all allows Cross-Site…
CVE-2023-41806 — CVSS 8.2 (high): Improper Privilege Management vulnerability in Pandora FMS on all allows Privilege Escalation. This vulnerability causes that a bad…
CVE-2026-30808 — CVSS 8.1 (high): Session Fixation vulnerability allows Session Hijacking via crafted session ID. This issue affects Pandora FMS: from 777 through 800
CVE-2023-44092 — CVSS 7.6 (high): Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability in Pandora FMS on all allows OS…
CVE-2023-41788 — CVSS 7.6 (high): Unrestricted Upload of File with Dangerous Type vulnerability in Pandora FMS on all allows Accessing Functionality Not Properly Constrained…
CVE-2023-41789 — CVSS 7.6 (high): Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Pandora FMS on all allows Cross-Site…
CVE-2023-41790 — CVSS 7.6 (high): Uncontrolled Search Path Element vulnerability in Pandora FMS on all allows Leveraging/Manipulating Configuration File Search Paths. This…
CVE-2023-44091 — CVSS 7.5 (high): Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Pandora FMS on all allows SQL…
CVE-2010-4283 — CVSS 7.5 (high): PHP remote file inclusion vulnerability in extras/pandora_diag.php in Pandora FMS before 3.1.1 allows remote attackers to execute arbitrary…
CVE-2010-4280 — CVSS 7.5 (high): Multiple SQL injection vulnerabilities in Pandora FMS before 3.1.1 allow remote authenticated users to execute arbitrary SQL commands via…
CVE-2010-4282 — CVSS 7.5 (high): Multiple directory traversal vulnerabilities in Pandora FMS before 3.1.1 allow remote attackers to include and execute arbitrary local…
CVE-2010-4281 — CVSS 7.5 (high): Incomplete blacklist vulnerability in the safe_url_extraclean function in ajax.php in Pandora FMS before 3.1.1 allows remote attackers to…
CVE-2018-11222 — CVSS 7.5 (high): Local File Inclusion (LFI) in Artica Pandora FMS through version 7.23 allows an attacker to call any php file via the…
CVE-2020-5844 — CVSS 7.2 (high): index.php?sec=godmode/extensions&sec2=extensions/files_repo in Pandora FMS v7.0 NG allows authenticated administrators to upload malicious…
CVE-2017-15935 — CVSS 7.2 (high): Artica Pandora FMS version 7.0 is vulnerable to remote PHP code execution through the manager files function. This is only exploitable by…
CVE-2020-7935 — CVSS 7.2 (high): Artica Pandora FMS through 7.42 is vulnerable to remote PHP code execution because of an Unrestricted Upload Of A File With A Dangerous…
CVE-2020-8500 — CVSS 7.2 (high): In Artica Pandora FMS 7.42, Web Admin users can execute arbitrary code by uploading a .php file via the Updater or Extension component…
CVE-2020-8511 — CVSS 7.2 (high): In Artica Pandora FMS through 7.42, Web Admin users can execute arbitrary code by uploading a .php file via the File Repository component…
CVE-2020-8947 — CVSS 7.2 (high): functions_netflow.php in Artica Pandora FMS 7.0 allows remote attackers to execute arbitrary OS commands via shell metacharacters in the…
CVE-2026-30804 — CVSS 7.2 (high): Unrestricted Upload of File with Dangerous Type vulnerability allows Remote Code Execution via file upload. This issue affects Pandora FMS…
CVE-2026-34188 — CVSS 7.2 (high): Improper Neutralization of Special Elements used in an OS Command vulnerability allows OS Command Injection via Event Response execution…
CVE-2023-4677 — CVSS 7.0 (high): Cron log backup files contain administrator session IDs. It is trivial for any attacker who can reach the Pandora FMS Console to scrape the…
CVE-2023-41786 — CVSS 6.8 (medium): Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Pandora FMS on all allows File Discovery. This vulnerability…
CVE-2019-20050 — CVSS 6.8 (medium): Pandora FMS ≤ 7.42 suffers from a remote code execution vulnerability. To exploit the vulnerability, an authenticated user should create…
CVE-2023-44090 — CVSS 6.8 (medium): Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Pandora FMS on all allows…
CVE-2021-36697 — CVSS 6.7 (medium): With an admin account, the .htaccess file in Artica Pandora FMS <=755 can be overwritten with the File Manager component. The new .htaccess…
CVE-2023-41793 — CVSS 6.7 (medium): : Path Traversal vulnerability in Pandora FMS on all allows Path Traversal. This vulnerability allowed changing directories and creating…
CVE-2021-32100 — CVSS 6.5 (medium): A remote file inclusion vulnerability exists in Artica Pandora FMS 742, exploitable by the lowest privileged user.
CVE-2017-15937 — CVSS 6.5 (medium): Artica Pandora FMS version 7.0 leaks a full installation pathname via GET data when intercepting the main page's graph requisition. This…
CVE-2026-30811 — CVSS 6.5 (medium): Missing Authorization vulnerability allows Exposure of Sensitive Information via configuration endpoint. This issue affects Pandora FMS…
CVE-2023-41787 — CVSS 6.0 (medium): Uncontrolled Search Path Element vulnerability in Pandora FMS on all allows Leveraging/Manipulating Configuration File Search Paths. This…
CVE-2023-41792 — CVSS 5.9 (medium): Cross-Site Request Forgery (CSRF) vulnerability in Pandora FMS on all allows Cross-Site Scripting (XSS). This vulnerability allowed…
CVE-2021-34075 — CVSS 5.9 (medium): In Artica Pandora FMS <=754 in the File Manager component, there is sensitive information exposed on the client side which attackers can…
CVE-2023-41812 — CVSS 5.7 (medium): Unrestricted Upload of File with Dangerous Type vulnerability in Pandora FMS on all allows Accessing Functionality Not Properly Constrained…
CVE-2017-15934 — CVSS 5.4 (medium): Artica Pandora FMS version 7.0 is vulnerable to stored Cross-Site Scripting in the map name parameter.
CVE-2017-15936 — CVSS 5.4 (medium): In Artica Pandora FMS version 7.0, an Attacker with write Permission can create an agent with an XSS Payload; when a user enters the agent…
CVE-2026-30812 — CVSS 5.4 (medium): Improper Neutralization of Input During Web Page Generation vulnerability allows Stored Cross-Site Scripting via event comments. This issue…
CVE-2020-8497 — CVSS 5.3 (medium): In Artica Pandora FMS through 7.42, an unauthenticated attacker can read the chat history. The file is in JSON format and it contains user…
CVE-2023-41811 — CVSS 5.3 (medium): Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Pandora FMS on all allows Cross-Site…
CVE-2021-46681 — CVSS 4.0 (medium): A XSS vulnerability exist in Pandora FMS version 756 and below, that allows an attacker to perform javascript code executions via module…
CVE-2023-41810 — CVSS 4.0 (medium): Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Pandora FMS on all allows Cross-Site…