Cyber Resilience

CVE-2026-34186

High

Published: 13 April 2026

Published
13 April 2026
Modified
22 April 2026
KEV Added
Patch
CVSS Score v4 8.7 CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:L/SC:L/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:N/AU:Y/R:U/V:C/RE:L/U:Amber
EPSS Score 0.0025 16.0th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-34186 is a high-severity SQL Injection (CWE-89) vulnerability in Artica Pandora Fms. Its CVSS base score is 8.7 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 16.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-34186 is an Improper Neutralization of Special Elements used in an SQL Command vulnerability (CWE-89) that enables SQL injection attacks via custom fields in Pandora FMS, affecting versions from 777 through 800. Published on 2026-04-13, it carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), indicating high severity due to its potential for significant impact across confidentiality, integrity, and availability.

An attacker with low-privilege authenticated access (PR:L) can exploit this vulnerability remotely over the network (AV:N) with low complexity (AC:L) and no user interaction required (UI:N). Successful exploitation allows arbitrary SQL commands to be injected via custom fields, potentially enabling data exfiltration, modification, or deletion, as well as denial-of-service impacts given the high ratings for C:H, I:H, and A:H.

Mitigation details are available in the vendor advisory at https://pandorafms.com/en/security/common-vulnerabilities-and-exposures/. Security practitioners should prioritize patching affected Pandora FMS installations to versions outside the 777-800 range and review access controls for custom field usage.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Improper Neutralization of Special Elements used in an SQL Command vulnerability allows SQL Injection via custom fields. This issue affects Pandora FMS: from 777 through 800

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

The vulnerability is a remote SQL injection flaw (CWE-89) in the Pandora FMS web application with network attack vector (AV:N) and low privileges required (PR:L), directly enabling exploitation of public-facing applications.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-30813Same product: Artica Pandora Fms
CVE-2026-30807Same product: Artica Pandora Fms
CVE-2026-30805Same product: Artica Pandora Fms
CVE-2026-30806Same product: Artica Pandora Fms
CVE-2026-30810Same product: Artica Pandora Fms
CVE-2024-12992Same product: Artica Pandora Fms
CVE-2026-30804Same product: Artica Pandora Fms
CVE-2026-34188Same product: Artica Pandora Fms
CVE-2024-12971Same product: Artica Pandora Fms
CVE-2026-30809Same product: Artica Pandora Fms

Affected Assets

artica
pandora fms
777 — 800.1

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires validation of information inputs like custom fields to neutralize special elements and prevent SQL injection (CWE-89) in Pandora FMS.

prevent

Mandates timely remediation of the specific SQL injection flaw affecting Pandora FMS versions 777 through 800, aligning with vendor patching guidance.

prevent

Enforces restrictions on input formats, lengths, and character sets for custom fields to mitigate SQL injection attempts.

References