VYPR
← All advisories
Medium severity5.4NVD Advisory· Published May 19, 2026· Updated May 19, 2026

CVE-2026-36827

CVE-2026-36827

Description

A command injection vulnerability exists in Panabit PAP-XM320 up to and including V7.7. The web management interface invokes the backend helper /usr/sbin/pappiw and passes user-controlled parameters to it. The helper performs unsafe argument processing using eval, which allows command injection when attacker-controlled input is included in the arguments. As a result, an authenticated remote attacker with access to the management interface may execute arbitrary shell commands.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Panabit PAP-XM320 up to V7.7 has a command injection in pappiw helper via eval, letting authenticated admins execute arbitrary shell commands.

Vulnerability

A command injection vulnerability exists in the web management interface of Panabit PAP-XM320 up to and including V7.7 [1]. The backend helper /usr/sbin/pappiw is invoked with user-controlled parameters, and it performs unsafe argument processing using eval, which allows arbitrary command injection [1].

Exploitation

An authenticated attacker with access to the management interface can inject shell metacharacters into the parameters passed to pappiw; the helper passes these arguments through eval, enabling arbitrary command execution. No special network position beyond the management interface is required, but valid credentials are necessary [1].

Impact

Successful exploitation allows the attacker to execute arbitrary shell commands on the underlying operating system with the privileges of the vulnerable helper process. This can lead to full compromise of the device's confidentiality, integrity, and availability [1].

Mitigation

Panabit has not yet released a patched version as of the publication date (2026-05-19). The vendor advisory [1] does not describe any workaround. Users should monitor vendor communications and restrict access to the management interface to trusted networks and accounts [1].

References
  1. 北京派网软件有限公司

AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

1

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

2

News mentions

0

No linked articles in our index yet.