CVEFinder.io

CVE-2025-5306

β›” critical
πŸ” Scan for this CVE
Summary

Improper Neutralization of Special Elements in the Netflow directory field may allow OS command injection. This issue affects Pandora FMS 774 through 778

CVSS Score
9.8
Critical
EPSS Score
40.0
Exploit Probability
Published Date
2025-06-27
First Seen: 2026-01-05
πŸ“Š Relative Risk Intelligence

This CVE is Very High Risk - more severe than 90.5% of all 328,009 vulnerabilities in our database.

#31,168
Top 10% most severe
Severity Percentile
🎯 CISA SSVC Assessment Updated: Jun 27, 2025
πŸ” Exploitation Status
None
No known exploits
βš™οΈ Automatable
NO
Requires human interaction
πŸ’₯ Technical Impact
Partial
Limited system impact
πŸ† Discovered By
Martin Sutovsky, Security Researcher. Rapid 7
SSVC data provided by CISA
Last Modified 2025-09-16
Source NVD πŸ”—
CVSS Vector 3.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CVSS Vector 4.0 CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:H/VA:L/SC:L/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:N/AU:N/R:U/V:D/RE:M/U:Green
CWE IDs (Weakness Types)
CWE-77

πŸ“¦ Affected Products 1

Vendor Product Status Affected Versions
artica pandora_fms Affected
≥ 774 ≤ 778

πŸ”— References 1

https://pandorafms.com/en/security/common-vulnerabil...
Vendor Advisory

πŸ”— Related CVEs 6

CVE ID Severity CVSS EPSS Summary Published
CVE-2026-34187 β›” critical 9.8 0.0 Improper Neutralization of Special Elements used in an SQL Command vulnerability allows SQL Injection via graph containe... 2026-05-12
CVE-2024-12971 ⚠️ high 8.8 73.7 Improper Neutralization of Special Elements used in a Command vulnerability allows OS Command Injection.This issue affec... 2025-03-17
CVE-2024-12992 β›” critical 9.8 0.6 Improper Neutralization of Special Elements used in a Command vulnerability allows OS Command Injection via RCE. This ... 2025-03-17
CVE-2024-35304 β›” critical 9.8 1.8 System command injection through Netflow functionΒ due to improper input validation, allowing attackers to execute arbit... 2024-06-10
CVE-2024-35305 β›” critical 9.8 0.4 Unauth Time-Based SQL Injection in API allows to exploit HTTP request Authorization header.Β This issue affects Pandora ... 2024-06-10
CVE-2024-35306 β›” critical 9.8 0.5 OS Command injection in Ajax PHP files via HTTP Request, allows to execute system commands by exploiting variables.Β Thi... 2024-06-10
These CVEs affect the same products