CVE-2026-36827
Deferred Deferred - Pending Action
Command Injection in Panabit PAP-XM320

Publication date: 2026-05-19

Last updated on: 2026-05-19

Assigner: MITRE

Description
A command injection vulnerability exists in Panabit PAP-XM320 up to and including V7.7. The web management interface invokes the backend helper /usr/sbin/pappiw and passes user-controlled parameters to it. The helper performs unsafe argument processing using eval, which allows command injection when attacker-controlled input is included in the arguments. As a result, an authenticated remote attacker with access to the management interface may execute arbitrary shell commands.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-19
Last Modified
2026-05-19
Generated
2026-06-10
AI Q&A
2026-05-19
EPSS Evaluated
2026-06-08
NVD
CVE-2026-36827
EUVD
EUVD-2026-30951
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
panabit pap-xm320 to 7.7 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-78 The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Detection Guidance

This vulnerability involves command injection via the web management interface of Panabit PAP-XM320 devices up to version 7.7, specifically through the backend helper /usr/sbin/pappiw which processes user-controlled parameters unsafely.

To detect this vulnerability on your system, you should monitor for unusual or unauthorized command executions originating from the management interface or the /usr/sbin/pappiw helper.

Since the vulnerability requires authenticated access, checking logs for suspicious activity related to the management interface is important.

  • Review system logs for commands executed by /usr/sbin/pappiw, for example using: sudo grep pappiw /var/log/auth.log or sudo grep pappiw /var/log/syslog
  • Use network monitoring tools to detect unusual HTTP requests to the management interface that include suspicious parameters.
  • If possible, run commands to check the version of the Panabit PAP-XM320 device to confirm if it is running version 7.7 or earlier, which is vulnerable.
Executive Summary

This vulnerability is a command injection issue in the Panabit PAP-XM320 device up to version 7.7. The web management interface calls a backend helper program (/usr/sbin/pappiw) and passes parameters that come from the user. The helper uses unsafe argument processing with the eval function, which can execute arbitrary commands if attacker-controlled input is included. This means an authenticated remote attacker who can access the management interface can run arbitrary shell commands on the device.

Impact Analysis

The vulnerability allows an authenticated remote attacker to execute arbitrary shell commands on the affected device. This can lead to unauthorized control over the device, potentially allowing the attacker to manipulate system settings, access sensitive data, disrupt services, or use the device as a foothold for further attacks within the network.

Compliance Impact

The provided information does not specify how the command injection vulnerability in Panabit PAP-XM320 impacts compliance with common standards and regulations such as GDPR or HIPAA.

Mitigation Strategies

Immediate mitigation steps include restricting access to the web management interface to trusted and authenticated users only.

Ensure that only authorized personnel have management interface credentials to prevent authenticated attackers from exploiting the vulnerability.

Monitor and audit usage of the management interface and the /usr/sbin/pappiw helper for suspicious command execution.

If available, upgrade the Panabit PAP-XM320 device firmware to a version later than 7.7 where this vulnerability is fixed.

Consider implementing network-level controls such as firewall rules to limit access to the management interface.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-36827. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart