{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-4760", "assignerOrgId": "30aa36b7-a224-4bc9-b7d3-abea20aa4887", "state": "PUBLISHED", "assignerShortName": "CODRA", "dateReserved": "2026-03-24T09:11:56.554Z", "datePublished": "2026-03-25T12:29:13.631Z", "dateUpdated": "2026-03-26T08:53:11.120Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "30aa36b7-a224-4bc9-b7d3-abea20aa4887", "shortName": "CODRA", "dateUpdated": "2026-03-26T08:53:11.120Z"}, "title": "Potential unauthorized access to files on the Web HMI server host", "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-552", "description": "CWE-552 Files or directories accessible to external parties", "type": "CWE"}]}], "impacts": [{"capecId": "CAPEC-36", "descriptions": [{"lang": "en", "value": "CAPEC-36 Using Unpublished Interfaces or Functionality"}]}, {"capecId": "CAPEC-6", "descriptions": [{"lang": "en", "value": "CAPEC-6 Argument Injection"}]}], "affected": [{"vendor": "CODRA", "product": "Panorama Suite", "platforms": ["Windows"], "modules": ["Panorama HMI Web Server"], "versions": [{"status": "affected", "version": "Panorama Suite 2022-SP1", "lessThan": "update PS-2210-02-4079", "versionType": "custom"}, {"status": "affected", "version": "Panorama Suite 2023", "lessThan": "update PS-2300-03-3078 AND PS-2300-04-3078 AND PS-2300-82-3078", "versionType": "custom"}, {"status": "affected", "version": "Panorama Suite 2025", "lessThan": "update PS-2500-02-1078 AND PS-2500-04-1078", "versionType": "custom"}, {"status": "affected", "version": "Panorama Suite 2025 Updated Dec. 25", "lessThan": "update PS-2510-02-1077 AND PS-2510-04-1077", "versionType": "custom"}], "defaultStatus": "unaffected"}], "cpeApplicability": [{"operator": "OR", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:codra:panorama_suite:*:*:windows:*:*:*:*:*", "versionStartIncluding": "panorama_suite_2022-sp1", "versionEndExcluding": "update_ps-2210-02-4079"}, {"vulnerable": true, "criteria": "cpe:2.3:a:codra:panorama_suite:*:*:windows:*:*:*:*:*", "versionStartIncluding": "panorama_suite_2023", "versionEndExcluding": "update_ps-2300-03-3078_and_ps-2300-04-3078_and_ps-2300-82-3078"}, {"vulnerable": true, "criteria": "cpe:2.3:a:codra:panorama_suite:*:*:windows:*:*:*:*:*", "versionStartIncluding": "panorama_suite_2025", "versionEndExcluding": "update_ps-2500-02-1078_and_ps-2500-04-1078"}, {"vulnerable": true, "criteria": "cpe:2.3:a:codra:panorama_suite:*:*:windows:*:*:*:*:*", "versionStartIncluding": "panorama_suite_2025_updated_dec._25", "versionEndExcluding": "update_ps-2510-02-1077_and_ps-2510-04-1077"}]}]}], "descriptions": [{"lang": "en", "value": "From Panorama Web HMI, an attacker can gain read access to certain Web HMI server files, if he knows their paths and if these files are accessible to the Servin process execution account.\n * Installations based on Panorama Suite 2022-SP1 (22.50.005) are vulnerable unless update PS-2210-02-4079 (or higher) is installed\n * Installations based on Panorama Suite 2023 (23.00.004) are vulnerable unless updates PS-2300-03-3078 (or higher) and PS-2300-04-3078 (or higher) and PS-2300-82-3078 (or higher) are installed\n * Installations based on Panorama Suite 2025 (25.00.016) are vulnerable unless updates PS-2500-02-1078 (or higher) and PS-2500-04-1078 (or higher) are installed \n * Installations based on Panorama Suite 2025 Updated Dec. 25 (25.10.007) are vulnerable unless updates PS-2510-02-1077 (or higher) and PS-2510-04-1077 (or higher) are installed \n\n\nPlease refer to security bulletin BS-035, available on the Panorama CSIRT website: https://my.codra.net/en-gb/csirt .", "supportingMedia": [{"type": "text/html", "base64": false, "value": "From Panorama Web HMI, an attacker can gain read access to certain Web HMI server files, if he knows their paths and if these files are accessible to the Servin process execution account.<br><ul><li>Installations based on Panorama Suite 2022-SP1 (22.50.005) are vulnerable unless update PS-2210-02-4079 (or higher) is installed</li><li>Installations based on Panorama Suite 2023 (23.00.004) are vulnerable unless updates PS-2300-03-3078 (or higher) and PS-2300-04-3078 (or higher) and PS-2300-82-3078 (or higher) are installed</li><li>Installations based on Panorama Suite 2025 (25.00.016) are vulnerable unless updates PS-2500-02-1078 (or higher) and PS-2500-04-1078 (or higher) are installed </li><li>Installations based on Panorama Suite 2025 Updated Dec. 25 (25.10.007) are vulnerable unless updates PS-2510-02-1077 (or higher) and PS-2510-04-1077 (or higher) are installed </li></ul>Please refer to security bulletin BS-035, available on the Panorama CSIRT website: <a href=\"https://my.codra.net/en-gb/csirt\">https://my.codra.net/en-gb/csirt</a>."}]}], "references": [{"url": "https://my.codra.net/api/csirt/download?resourceId=1467&fileType=FichierPDF"}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "subConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "NONE", "subIntegrityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "UNREPORTED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "RED", "version": "4.0", "baseSeverity": "HIGH", "baseScore": 7.7, "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N/E:U/U:Red"}}], "source": {"advisory": "Pano/BS-035", "discovery": "INTERNAL"}, "x_generator": {"engine": "Vulnogram 1.0.0"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-25T13:11:20.361122Z", "id": "CVE-2026-4760", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-25T13:11:27.573Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-4760", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-25T13:11:20.361122Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-25T13:11:22.796Z"}}], "cna": {"title": "Potential unauthorized access to files on the Web HMI server host", "source": {"advisory": "Pano/BS-035", "discovery": "INTERNAL"}, "impacts": [{"capecId": "CAPEC-36", "descriptions": [{"lang": "en", "value": "CAPEC-36 Using Unpublished Interfaces or Functionality"}]}, {"capecId": "CAPEC-6", "descriptions": [{"lang": "en", "value": "CAPEC-6 Argument Injection"}]}], "metrics": [{"format": "CVSS", "cvssV4_0": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 7.7, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "HIGH", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N/E:U/U:Red", "exploitMaturity": "UNREPORTED", "providerUrgency": "RED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "CODRA", "modules": ["Panorama HMI Web Server"], "product": "Panorama Suite", "versions": [{"status": "affected", "version": "Panorama Suite 2022-SP1", "lessThan": "update PS-2210-02-4079", "versionType": "custom"}, {"status": "affected", "version": "Panorama Suite 2023", "lessThan": "update PS-2300-03-3078 AND PS-2300-04-3078 AND PS-2300-82-3078", "versionType": "custom"}, {"status": "affected", "version": "Panorama Suite 2025", "lessThan": "update PS-2500-02-1078 AND PS-2500-04-1078", "versionType": "custom"}, {"status": "affected", "version": "Panorama Suite 2025 Updated Dec. 25", "lessThan": "update PS-2510-02-1077 AND PS-2510-04-1077", "versionType": "custom"}], "platforms": ["Windows"], "defaultStatus": "unaffected"}], "references": [{"url": "https://my.codra.net/api/csirt/download?resourceId=1467&fileType=FichierPDF"}], "x_generator": {"engine": "Vulnogram 1.0.0"}, "descriptions": [{"lang": "en", "value": "From Panorama Web HMI, an attacker can gain read access to certain Web HMI server files, if he knows their paths and if these files are accessible to the Servin process execution account.\n * Installations based on Panorama Suite 2022-SP1 (22.50.005) are vulnerable unless update PS-2210-02-4079 (or higher) is installed\n * Installations based on Panorama Suite 2023 (23.00.004) are vulnerable unless updates PS-2300-03-3078 (or higher) and PS-2300-04-3078 (or higher) and PS-2300-82-3078 (or higher) are installed\n * Installations based on Panorama Suite 2025 (25.00.016) are vulnerable unless updates PS-2500-02-1078 (or higher) and PS-2500-04-1078 (or higher) are installed \n * Installations based on Panorama Suite 2025 Updated Dec. 25 (25.10.007) are vulnerable unless updates PS-2510-02-1077 (or higher) and PS-2510-04-1077 (or higher) are installed \n\n\nPlease refer to security bulletin BS-035, available on the Panorama CSIRT website: https://my.codra.net/en-gb/csirt .", "supportingMedia": [{"type": "text/html", "value": "From Panorama Web HMI, an attacker can gain read access to certain Web HMI server files, if he knows their paths and if these files are accessible to the Servin process execution account.<br><ul><li>Installations based on Panorama Suite 2022-SP1 (22.50.005) are vulnerable unless update PS-2210-02-4079 (or higher) is installed</li><li>Installations based on Panorama Suite 2023 (23.00.004) are vulnerable unless updates PS-2300-03-3078 (or higher) and PS-2300-04-3078 (or higher) and PS-2300-82-3078 (or higher) are installed</li><li>Installations based on Panorama Suite 2025 (25.00.016) are vulnerable unless updates PS-2500-02-1078 (or higher) and PS-2500-04-1078 (or higher) are installed </li><li>Installations based on Panorama Suite 2025 Updated Dec. 25 (25.10.007) are vulnerable unless updates PS-2510-02-1077 (or higher) and PS-2510-04-1077 (or higher) are installed </li></ul>Please refer to security bulletin BS-035, available on the Panorama CSIRT website: <a href=\"https://my.codra.net/en-gb/csirt\">https://my.codra.net/en-gb/csirt</a>.", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-552", "description": "CWE-552 Files or directories accessible to external parties"}]}], "cpeApplicability": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:codra:panorama_suite:*:*:windows:*:*:*:*:*", "vulnerable": true, "versionEndExcluding": "update_ps-2210-02-4079", "versionStartIncluding": "panorama_suite_2022-sp1"}, {"criteria": "cpe:2.3:a:codra:panorama_suite:*:*:windows:*:*:*:*:*", "vulnerable": true, "versionEndExcluding": "update_ps-2300-03-3078_and_ps-2300-04-3078_and_ps-2300-82-3078", "versionStartIncluding": "panorama_suite_2023"}, {"criteria": "cpe:2.3:a:codra:panorama_suite:*:*:windows:*:*:*:*:*", "vulnerable": true, "versionEndExcluding": "update_ps-2500-02-1078_and_ps-2500-04-1078", "versionStartIncluding": "panorama_suite_2025"}, {"criteria": "cpe:2.3:a:codra:panorama_suite:*:*:windows:*:*:*:*:*", "vulnerable": true, "versionEndExcluding": "update_ps-2510-02-1077_and_ps-2510-04-1077", "versionStartIncluding": "panorama_suite_2025_updated_dec._25"}], "operator": "OR"}], "operator": "OR"}], "providerMetadata": {"orgId": "30aa36b7-a224-4bc9-b7d3-abea20aa4887", "shortName": "CODRA", "dateUpdated": "2026-03-26T08:53:11.120Z"}}}, "cveMetadata": {"cveId": "CVE-2026-4760", "state": "PUBLISHED", "dateUpdated": "2026-03-26T08:53:11.120Z", "dateReserved": "2026-03-24T09:11:56.554Z", "assignerOrgId": "30aa36b7-a224-4bc9-b7d3-abea20aa4887", "datePublished": "2026-03-25T12:29:13.631Z", "assignerShortName": "CODRA"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "From Panorama Web HMI, an attacker can gain read access to certain Web HMI server files, if he knows their paths and if these files are accessible to the Servin process execution account.\n * Installations based on Panorama Suite 2022-SP1 (22.50.005) are vulnerable unless update PS-2210-02-4079 (or higher) is installed\n * Installations based on Panorama Suite 2023 (23.00.004) are vulnerable unless updates PS-2300-03-3078 (or higher) and PS-2300-04-3078 (or higher) and PS-2300-82-3078 (or higher) are installed\n * Installations based on Panorama Suite 2025 (25.00.016) are vulnerable unless updates PS-2500-02-1078 (or higher) and PS-2500-04-1078 (or higher) are installed \n * Installations based on Panorama Suite 2025 Updated Dec. 25 (25.10.007) are vulnerable unless updates PS-2510-02-1077 (or higher) and PS-2510-04-1077 (or higher) are installed \n\n\nPlease refer to security bulletin BS-035, available on the Panorama CSIRT website: https://my.codra.net/en-gb/csirt ."}], "id": "CVE-2026-4760", "lastModified": "2026-03-26T10:16:26.350", "metrics": {"cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 7.7, "baseSeverity": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "UNREPORTED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "RED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "HIGH", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:Red", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "30aa36b7-a224-4bc9-b7d3-abea20aa4887", "type": "Secondary"}]}, "published": "2026-03-25T13:16:27.990", "references": [{"source": "30aa36b7-a224-4bc9-b7d3-abea20aa4887", "url": "https://my.codra.net/api/csirt/download?resourceId=1467&fileType=FichierPDF"}], "sourceIdentifier": "30aa36b7-a224-4bc9-b7d3-abea20aa4887", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-552"}], "source": "30aa36b7-a224-4bc9-b7d3-abea20aa4887", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": ["windows"], "status": "affected", "versions": {"scheme": "generic", "value": "[Panorama Suite 2022-SP1, update PS-2210-02-4079)"}}, {"platform": ["windows"], "status": "affected", "versions": {"scheme": "generic", "value": "[Panorama Suite 2023, update PS-2300-03-3078 AND PS-2300-04-3078 AND PS-2300-82-3078)"}}, {"platform": ["windows"], "status": "affected", "versions": {"scheme": "generic", "value": "[Panorama Suite 2025, update PS-2500-02-1078 AND PS-2500-04-1078)"}}, {"platform": ["windows"], "status": "affected", "versions": {"scheme": "generic", "value": "[Panorama Suite 2025 Updated Dec. 25, update PS-2510-02-1077 AND PS-2510-04-1077)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "Panorama Suite", "source": "cna", "vendor": "CODRA"}, "product": "panorama_suite", "vendor": "codra"}], "analysis": {"en": {"generated_at": "2026-03-26T10:21:39.811602+00:00", "value": {"mitigation_remediation": ["Apply the latest CSP updates listed above for your Panorama Suite version to patch the vulnerability.", "Reduce the permissions of the Servin process account and tighten file permissions on the Web HMI server to prevent unauthorized reads.", "If a patch is not yet available, monitor for unauthorized file access and limit the exposed file paths by disabling unnecessary services or removing sensitive files from the accessible directory."], "summary": {"action": "Patch immediately", "impact": "Unauthorized file disclosure"}, "threat_synthesis": {"affected_systems": "Panorama Suite from CODRA is affected. Installations based on Panorama Suite 2022\u2011SP1 (22.50.005) are vulnerable unless the update PS\u20112210\u201102\u20114079 or newer is installed. Installations based on Panorama Suite 2023 (23.00.004) are vulnerable unless updates PS\u20112300\u201103\u20113078, PS\u20112300\u201104\u20113078, and PS\u20112300\u201182\u20113078 or newer are installed. Installations based on Panorama Suite 2025 (25.00.016) are vulnerable unless updates PS\u20112500\u201102\u20111078 and PS\u20112500\u201104\u20111078 or newer are installed. Installations based on Panorama Suite 2025 Updated Dec.\u202f25 (25.10.007) are vulnerable unless updates PS\u20112510\u201102\u20111077 and PS\u20112510\u201104\u20111077 or newer are installed.", "description_and_impact": "The vulnerability allows an attacker who knows the location of files on the Panorama Web HMI server host to read those files if the Servin process execution account has permission to do so. This grants unauthorized disclosure of potentially sensitive data and occurs through the web interface captured by the vulnerability. The weakness aligns with CWE\u2011552, representing improper access control that permits reading files the user should not access.", "risk_and_exploitability": "The CVSS score of 7.7 indicates high severity. EPSS information is not available and the vulnerability is not listed in the CISA KEV catalog. The likely attack vector is via the Panorama Web HMI interface, where an adversary who can identify file paths may read files that the Servin process can access. Because the vulnerability relies on the Servin process permissions, it can be exploited remotely through authenticated or unauthenticated access to the web interface, and no further conditions are required beyond knowledge of accessible paths."}}}}, "created": "2026-03-25T21:31:19.987474+00:00", "updated": "2026-03-26T12:13:28.898766+00:00", "vendors": ["codra", "codra$PRODUCT$panorama_suite"]}