CVE-2026-4760 PUBLISHED

Potential unauthorized access to files on the Web HMI server host

Assigner: CODRA
Reserved: 24.03.2026 Published: 25.03.2026 Updated: 25.03.2026

From Panorama Web HMI, an attacker can gain read access to certain Web HMI server files, if he knows their paths and if these files are accessible to the Servin process execution account.

  • Installations based on Panorama Suite 2022-SP1 (22.50.005) are vulnerable unless update PS-2210-02-4079 (or higher) is installed
  • Installations based on Panorama Suite 2023 (23.00.004) are vulnerable unless updates PS-2300-03-3078 (or higher) and PS-2300-04-3078 (or higher) and PS-2300-82-3078

(or higher)

are installed * Installations based on Panorama Suite 2025 (25.00.016)

are vulnerable unless updates PS-2500-02-1078 (or higher) and PS-2500-04-1078 (or higher) are installed  * Installations based on Panorama Suite 2025 Updated Dec. 25 (25.10.007)

are vulnerable unless updates PS-2510-02-1077 (or higher) and PS-2510-04-1077 (or higher)

are installed

Please refer to security bulletin BS-035, available on the Panorama CSIRT website:  https://my.codra.net/en-gb/csirt .

Metrics

CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N/E:U/U:Red
CVSS Score: 7.7

Product Status

Vendor CODRA
Product Panorama Suite
Versions Default: unaffected
  • affected from Panorama Suite 2022-SP1 to update PS-2210-02-4079 (excl.)
  • affected from Panorama Suite 2023 to update PS-2300-03-3078 AND PS-2300-04-3078 AND PS-2300-82-3078 (excl.)
  • affected from Panorama Suite 2025 to update PS-2500-02-1078 AND PS-2500-04-1078 (excl.)
  • affected from Panorama Suite 2025 Updated Dec. 25 to update PS-2510-02-1077 AND PS-2510-04-1077 (excl.)

References

Problem Types

  • CWE-552 Files or directories accessible to external parties CWE

Impacts

  • CAPEC-36 Using Unpublished Interfaces or Functionality
  • CAPEC-6 Argument Injection