CVE-2026-36829

Vulnerability

The embedded HTTP server in Panabit PAP-XM320 up to and including v7.7 validates session cookies by checking for the existence of a file on the filesystem using the cookie value directly. No sanitization is applied, enabling directory traversal. An attacker can supply a cookie value such as ../../etc/passwd to bypass the existence check and authenticate as an administrative user.

Exploitation

An attacker with network access to the device's HTTP management interface can send a crafted HTTP request containing a malicious session cookie. The cookie value includes directory traversal sequences (e.g., ../) to point to an existing system file. The server's filesystem existence check succeeds, and the attacker is granted an authenticated session without valid credentials.

Impact

Successful exploitation grants the attacker administrative access to the web interface. This leads to full compromise of the device, including the ability to read sensitive data, modify configuration, and potentially pivot to internal networks. The CVSS v3 score is 9.8 (Critical).

Mitigation

As of the publication date (2026-05-19), no official patch or workaround has been released by Panabit. Users should monitor the vendor's website [1] for updates. The vulnerability is not listed on the CISA Known Exploited Vulnerabilities (KEV) catalog at this time.