{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-30812", "assignerOrgId": "63375d6c-d89a-45ed-8ecc-c8c361b0e04c", "state": "PUBLISHED", "assignerShortName": "PandoraFMS", "dateReserved": "2026-03-05T16:16:01.151Z", "datePublished": "2026-04-13T15:48:29.238Z", "dateUpdated": "2026-04-13T17:55:20.404Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "63375d6c-d89a-45ed-8ecc-c8c361b0e04c", "shortName": "PandoraFMS", "dateUpdated": "2026-04-13T15:48:29.238Z"}, "title": "Stored Cross-Site Scripting in Event Comments via Filter Bypass", "datePublic": "2026-04-13T15:50:00.000Z", "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-79", "description": "CWE-79 Improper neutralization of input during web page generation ('cross-site scripting')", "type": "CWE"}]}], "impacts": [{"capecId": "CAPEC-592", "descriptions": [{"lang": "en", "value": "CAPEC-592 Stored XSS"}]}], "affected": [{"vendor": "Pandora FMS", "product": "Pandora FMS", "platforms": ["all"], "versions": [{"status": "affected", "version": "777", "lessThanOrEqual": "800", "versionType": "custom"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "Improper Neutralization of Input During Web Page Generation vulnerability allows Stored Cross-Site Scripting via event comments. This issue affects Pandora FMS: from 777 through 800", "supportingMedia": [{"type": "text/html", "base64": false, "value": "Improper Neutralization of Input During Web Page Generation vulnerability allows Stored Cross-Site Scripting via event comments. This issue affects Pandora FMS: from 777 through 800"}]}], "references": [{"url": "https://pandorafms.com/en/security/common-vulnerabilities-and-exposures/"}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "LOW", "userInteraction": "PASSIVE", "vulnConfidentialityImpact": "LOW", "subConfidentialityImpact": "NONE", "vulnIntegrityImpact": "LOW", "subIntegrityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "Safety": "NEGLIGIBLE", "Automatable": "NO", "Recovery": "AUTOMATIC", "valueDensity": "DIFFUSE", "vulnerabilityResponseEffort": "LOW", "providerUrgency": "AMBER", "version": "4.0", "baseSeverity": "LOW", "baseScore": 2.1, "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/S:N/AU:N/R:A/V:D/RE:L/U:Amber"}}], "solutions": [{"lang": "en", "value": "Fixed in v800.1 and v801 Pandora FMS versions", "supportingMedia": [{"type": "text/html", "base64": false, "value": "Fixed in v800.1 and v801 Pandora FMS versions"}]}], "credits": [{"lang": "en", "value": "Pedro J. N\u00fa\u00f1ez-Cacho Fuentes <tunelko@gmail.com>", "type": "finder"}], "source": {"discovery": "EXTERNAL"}, "x_generator": {"engine": "Vulnogram 1.0.1"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-13T17:43:20.380114Z", "id": "CVE-2026-30812", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-13T17:55:20.404Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-30812", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-13T17:43:20.380114Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-13T17:55:15.593Z"}}], "cna": {"title": "Stored Cross-Site Scripting in Event Comments via Filter Bypass", "source": {"discovery": "EXTERNAL"}, "credits": [{"lang": "en", "type": "finder", "value": "Pedro J. N\u00fa\u00f1ez-Cacho Fuentes <tunelko@gmail.com>"}], "impacts": [{"capecId": "CAPEC-592", "descriptions": [{"lang": "en", "value": "CAPEC-592 Stored XSS"}]}], "metrics": [{"format": "CVSS", "cvssV4_0": {"Safety": "NEGLIGIBLE", "version": "4.0", "Recovery": "AUTOMATIC", "baseScore": 2.1, "Automatable": "NO", "attackVector": "NETWORK", "baseSeverity": "LOW", "valueDensity": "DIFFUSE", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/S:N/AU:N/R:A/V:D/RE:L/U:Amber", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "AMBER", "userInteraction": "PASSIVE", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "LOW", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "LOW", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "LOW", "vulnerabilityResponseEffort": "LOW"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Pandora FMS", "product": "Pandora FMS", "versions": [{"status": "affected", "version": "777", "versionType": "custom", "lessThanOrEqual": "800"}], "platforms": ["all"], "defaultStatus": "unaffected"}], "solutions": [{"lang": "en", "value": "Fixed in v800.1 and v801 Pandora FMS versions", "supportingMedia": [{"type": "text/html", "value": "Fixed in v800.1 and v801 Pandora FMS versions", "base64": false}]}], "datePublic": "2026-04-13T15:50:00.000Z", "references": [{"url": "https://pandorafms.com/en/security/common-vulnerabilities-and-exposures/"}], "x_generator": {"engine": "Vulnogram 1.0.1"}, "descriptions": [{"lang": "en", "value": "Improper Neutralization of Input During Web Page Generation vulnerability allows Stored Cross-Site Scripting via event comments. This issue affects Pandora FMS: from 777 through 800", "supportingMedia": [{"type": "text/html", "value": "Improper Neutralization of Input During Web Page Generation vulnerability allows Stored Cross-Site Scripting via event comments. This issue affects Pandora FMS: from 777 through 800", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79 Improper neutralization of input during web page generation ('cross-site scripting')"}]}], "providerMetadata": {"orgId": "63375d6c-d89a-45ed-8ecc-c8c361b0e04c", "shortName": "PandoraFMS", "dateUpdated": "2026-04-13T15:48:29.238Z"}}}, "cveMetadata": {"cveId": "CVE-2026-30812", "state": "PUBLISHED", "dateUpdated": "2026-04-13T17:55:20.404Z", "dateReserved": "2026-03-05T16:16:01.151Z", "assignerOrgId": "63375d6c-d89a-45ed-8ecc-c8c361b0e04c", "datePublished": "2026-04-13T15:48:29.238Z", "assignerShortName": "PandoraFMS"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Improper Neutralization of Input During Web Page Generation vulnerability allows Stored Cross-Site Scripting via event comments. This issue affects Pandora FMS: from 777 through 800"}], "id": "CVE-2026-30812", "lastModified": "2026-04-13T16:16:26.147", "metrics": {"cvssMetricV40": [{"cvssData": {"Automatable": "NO", "Recovery": "AUTOMATIC", "Safety": "NEGLIGIBLE", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 2.1, "baseSeverity": "LOW", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "LOW", "providerUrgency": "AMBER", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "PASSIVE", "valueDensity": "DIFFUSE", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:N/AU:N/R:A/V:D/RE:L/U:Amber", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "LOW", "vulnerabilityResponseEffort": "LOW"}, "source": "security@pandorafms.com", "type": "Secondary"}]}, "published": "2026-04-13T16:16:26.147", "references": [{"source": "security@pandorafms.com", "url": "https://pandorafms.com/en/security/common-vulnerabilities-and-exposures/"}], "sourceIdentifier": "security@pandorafms.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security@pandorafms.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": ["all"], "status": "affected", "versions": {"scheme": "generic", "value": "[777,800]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "Pandora FMS", "source": "cna", "vendor": "Pandora FMS"}, "product": "pandora_fms", "vendor": "pandora_fms"}], "analysis": {"en": {"generated_at": "2026-04-13T18:37:43.816343+00:00", "value": {"mitigation_remediation": ["Upgrade Pandora FMS to version 800.1 or later"], "summary": {"action": "Patch Upgrade", "impact": "Stored Cross\u2011Site Scripting"}, "threat_synthesis": {"affected_systems": "Pandora FMS is affected by this defect. The flaw exists in all releases from version 777 up through 800 inclusive. Versions v800.1 and later include the vendor\u2019s fix and are not impacted.", "description_and_impact": "The vulnerability arises from improper neutralization of user-supplied input when rendering event comments in Pandora FMS, enabling an attacker to inject and store malicious scripts that will execute in the browser context of any user who views the affected comment. This stored XSS flaw is tagged as CWE\u201179 and can facilitate client\u2011side attacks such as session hijacking, defacement, or the delivery of malicious content. The impact is confined to users who access the edited event comments; it does not provide direct server\u2011side code execution or privilege escalation.", "risk_and_exploitability": "The officially assigned CVSS score is 2.1, indicating low overall severity. No EPSS data is available, and the vulnerability is not listed in the CISA KEV catalog. The likely attack vector is through a web browser accessed by users having permission to view event comments. Successful exploitation requires an attacker to obtain write access to the comment field or otherwise insert malicious payloads, after which the payload will be served to other users. While the probability of exploitation may be moderate in environments with weak input validation policies, the overall risk remains low due to the need for user interaction."}}}}, "created": "2026-04-14T16:18:56.327418+00:00", "updated": "2026-04-14T16:34:04.898263+00:00", "vendors": ["pandora_fms", "pandora_fms$PRODUCT$pandora_fms"]}