CVE-2026-36829
CRITICAL
NVD
CVSS Score
9.8
Severity
CRITICAL
Published
May 19, 2026
Vendor
unknown
Description
An authentication bypass vulnerability exists in the embedded HTTP server of Panabit PAP-XM320 up to and including v7.7. The server validates session cookies using a filesystem existence check based on a user-controlled cookie value without proper sanitization, allowing directory traversal and bypass of authentication.