CVE-2026-36829 is a critical authentication bypass in the embedded HTTP server of Panabit PAP-XM320 devices up to and including v7.7. According to the CVE description, the server checks whether a session cookie maps to an existing file on disk, but does so using a user-controlled cookie value without proper sanitization. That creates a path traversal condition that can defeat authentication. The record wa [truncated]
CVE-2026-36828 describes a command injection issue in the /cgi-bin/tools/ajax_cmd CGI endpoint of Panabit PAP-XM320 systems up to and including v7.7. According to the CVE record, authenticated users can abuse the action=runcmd parameter to execute arbitrary shell commands with root privileges, making successful exploitation especially serious even though it requires valid credentials.
CVE-2026-36827 describes a command injection vulnerability in Panabit PAP-XM320 up to and including V7.7. The web management interface passes user-controlled parameters to the backend helper /usr/sbin/pappiw, which performs unsafe argument handling with eval. An authenticated remote attacker with access to the management interface may be able to execute arbitrary shell commands. NVD lists the issue as def [truncated]
