Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
9.8
CVE-2026-36829: Panabit PAP-XM320 HTTP Server Authentication Bypass Risk
CVE-2026-36829
Summary
The Panabit PAP-XM320's built-in web server has a weakness that could let attackers access it without needing a password. This is because the server checks a password-related cookie in a way that an attacker can manipulate, potentially allowing them to access the server. To stay safe, update to a newer version of Panabit PAP-XM320.
Original title
An authentication bypass vulnerability exists in the embedded HTTP server of Panabit PAP-XM320 up to and including v7.7. The server validates session cookies using a filesystem existence check base...
Original description
An authentication bypass vulnerability exists in the embedded HTTP server of Panabit PAP-XM320 up to and including v7.7. The server validates session cookies using a filesystem existence check based on a user-controlled cookie value without proper sanitization, allowing directory traversal and bypass of authentication.
Vulnerability type
CWE-22
Path Traversal
CWE-287
Improper Authentication
Published: 19 May 2026 · Updated: 31 May 2026 · First seen: 19 May 2026