Primary

Context

Pandora FMS Unrestricted File Upload Vulnerability Allowing Remote Code Execution

Vulnerability

A vulnerability in Pandora FMS versions 777 through 800 allows for unrestricted file uploads of dangerous file types, leading to remote code execution. This issue arises from the File Repository Manager feature, where authenticated administrators can upload malicious PHP scripts and execute them by decoding the file location.

Impact

Exploitation of this vulnerability allows for remote code execution on the server where Pandora FMS is running.

Reproduction

To reproduce this vulnerability, an authenticated administrator can upload a PHP file through the File Repository Manager. The uploaded file can then be executed by accessing its location on the server, provided the php-fileinfo extension is disabled.

Remediation

Users can update to Pandora FMS version 801 or later, where this vulnerability has been addressed.

Added: Apr 13, 2026, 6:17 PM

Updated: Apr 13, 2026, 6:17 PM

Vulnerability Rating

Custom Algorithm

spread

3.1

impact

7.5

exploitability

7.0

remediation

0.0

relevance

5.8

threat

1.6

urgency

5.7

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

3.1

impact

7.5

exploitability

7.0

remediation

0.0

relevance

5.8

threat

1.6

urgency

5.7

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Pandora FMS Unrestricted File Upload Vulnerability Allowing Remote Code Execution

Vulnerability

Impact

Reproduction

Remediation

Affected Products

Pandora FMS

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating