CVE-2026-36829

Severity CVSS v4.0:
Pending analysis
Type:
CWE-22 Path Traversal
Publication date:
19/05/2026
Last modified:
19/05/2026

Description

An authentication bypass vulnerability exists in the embedded HTTP server of Panabit PAP-XM320 up to and including v7.7. The server validates session cookies using a filesystem existence check based on a user-controlled cookie value without proper sanitization, allowing directory traversal and bypass of authentication.