CVE-2026-36828
Deferred Deferred - Pending Action
Authenticated Command Injection in Panabit PAP-XM320

Publication date: 2026-05-19

Last updated on: 2026-05-19

Assigner: MITRE

Description
A command injection vulnerability exists in the /cgi-bin/tools/ajax_cmd endpoint of Panabit PAP-XM320 up to and including v7.7. The CGI component allows authenticated users to execute arbitrary shell commands with root privileges via the action=runcmd parameter.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-19
Last Modified
2026-05-19
Generated
2026-06-10
AI Q&A
2026-05-19
EPSS Evaluated
2026-06-08
NVD
CVE-2026-36828
EUVD
EUVD-2026-30954
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
panabit pap-xm320 to 7.7 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-78 The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability is a command injection issue found in the /cgi-bin/tools/ajax_cmd endpoint of the Panabit PAP-XM320 device up to and including version 7.7.

It allows authenticated users to execute arbitrary shell commands with root privileges by using the action=runcmd parameter in the CGI component.

Impact Analysis

An attacker who is authenticated can exploit this vulnerability to run any shell command on the affected device with root-level access.

This could lead to full control over the device, allowing the attacker to modify configurations, access sensitive data, disrupt network operations, or use the device as a foothold for further attacks.

Detection Guidance

This vulnerability involves the /cgi-bin/tools/ajax_cmd endpoint on Panabit PAP-XM320 devices, which allows authenticated users to execute arbitrary shell commands with root privileges via the action=runcmd parameter.

To detect this vulnerability on your system, you can monitor HTTP requests targeting the /cgi-bin/tools/ajax_cmd endpoint, especially those containing the action=runcmd parameter.

Suggested commands include using network monitoring tools or web server logs to search for suspicious requests. For example, using grep on web server logs:

  • grep "/cgi-bin/tools/ajax_cmd" /var/log/httpd/access_log
  • grep "action=runcmd" /var/log/httpd/access_log

Additionally, you can use network traffic analysis tools like tcpdump or Wireshark to filter HTTP requests to the vulnerable endpoint.

Mitigation Strategies

Immediate mitigation steps include restricting access to the /cgi-bin/tools/ajax_cmd endpoint to trusted and authenticated users only.

Ensure that only authorized personnel have authentication credentials to the device, and consider disabling or restricting the vulnerable CGI component if possible.

Monitor logs and network traffic for any suspicious activity targeting this endpoint.

Contact the vendor or check their official website for any patches or updates that address this vulnerability.

Compliance Impact

The provided information does not specify how the command injection vulnerability in Panabit PAP-XM320 affects compliance with common standards and regulations such as GDPR or HIPAA.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-36828. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart