CVE 9.8 CRITICAL

CVE-2026-36829_CVE-2026-36829

May 19, 2026 invoker category_cve

9.8 / 10

CRITICAL

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Description

An authentication bypass vulnerability exists in the embedded HTTP server of Panabit PAP-XM320 up to and including v7.7. The server validates session cookies using a filesystem existence check based on a user-controlled cookie value without proper sanitization, allowing directory traversal and bypass of authentication.

AI Analysis

Authentication bypass vulnerability in the embedded HTTP server due to improper session cookie validation

Basic Information

ID CVE-2026-36829

Source mitre

Published May 19, 2026 at 00:00

Modified May 19, 2026 at 17:37

Affected Product

Vendor Panabit

Product PAP-XM320

Version v7.7

Affected Versions n/a n/a n/a

CWE Classification

CWE-22 CWE-287

AI Assessment

AI Score 9.8 / 10

AI Severity Critical

Vendor Panabit

Product PAP-XM320

Version v7.7

References

{
    "lastseen": "",
    "description": "An authentication bypass vulnerability exists in the embedded HTTP server of Panabit PAP-XM320 up to and including v7.7. The server validates session cookies using a filesystem existence check based on a user-controlled cookie value without proper sanitization, allowing directory traversal and bypass of authentication.",
    "published": "2026-05-19T00:00:00.000Z",
    "modified": "2026-05-19T17:37:49.059Z",
    "type": "cve",
    "title": "CVE-2026-36829",
    "source": "mitre",
    "references": "https://www.panabit.com/\nhttps://secreu.notion.site/CVE-2026-36829-3652c0ab461580e19704e87b18865714",
    "id": "CVE-2026-36829",
    "bulletinFamily": "",
    "cwe": [
        "CWE-22",
        "CWE-287"
    ],
    "cvelist": null,
    "sourceData": "n/a n/a n/a",
    "sourceHref": "",
    "cvss": {
        "score": 9.8,
        "severity": "CRITICAL",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "PAP-XM320",
    "version": "v7.7",
    "vendor": "Panabit",
    "ai_description": "Authentication bypass vulnerability in the embedded HTTP server due to improper session cookie validation",
    "ai_severity": "Critical",
    "ai_vendor": "Panabit",
    "ai_product": "PAP-XM320",
    "ai_version": "v7.7",
    "ai_score": 9.8
}

💭 Join the Security Discussion ❌ Cancel Reply