diff --git a/pandora_console/include/ajax/events.php b/pandora_console/include/ajax/events.php
index 92aebb457f..37a543d6e8 100644
--- a/pandora_console/include/ajax/events.php
+++ b/pandora_console/include/ajax/events.php
@@ -1205,13 +1205,8 @@ if ($get_response === true) {
 
     if (empty($event_id) === false) {
         try {
-            $target_metaconsole = '';
-            if (is_metaconsole() === true
-                && $server_id > 0
-            ) {
-                $target_metaconsole = io_safe_output(db_get_value('target', 'tevent_response', 'id', $event_response['id']));
+            if (is_metaconsole() === true && $server_id > 0) {
                 $node = new Node($server_id);
-                $node->connect();
             }
 
             $event_response['target'] = events_get_response_target(
@@ -1220,28 +1215,13 @@ if ($get_response === true) {
                 $response_parameters,
                 $server_id,
                 ($server_id !== 0) ? $node->server_name() : 'Metaconsole',
-                $target_metaconsole
             );
         } catch (\Exception $e) {
-            // Unexistent agent.
-            if (is_metaconsole() === true
-                && $server_id > 0
-            ) {
-                $node->disconnect();
-            }
-
             return;
-        } finally {
-            if (is_metaconsole() === true
-                && $server_id > 0
-            ) {
-                $node->disconnect();
-            }
         }
     }
 
     echo json_encode($event_response);
-
     return;
 }
 
@@ -1313,23 +1293,29 @@ if ($get_response_massive === true) {
 
 if ($get_row_response_action === true) {
     $response_id = get_parameter('response_id');
-    $response = json_decode(
-        io_safe_output(
-            get_parameter('response', '')
-        ),
+    $server_id = get_parameter('server_id');
+    $event_id = get_parameter('event_id');
+    $response_parameters = (array) json_decode(
+        io_safe_output(get_parameter('response_parameters', '')),
         true
     );
 
-    $end = (bool) get_parameter('end', false);
-    $index = $response['event_id'];
+    $event_response = db_get_row(
+        'tevent_response',
+        'id',
+        $response_id
+    );
+
+    $index = $event_id;
     if (is_metaconsole() === true) {
-        $index .= '-'.$response['server_id'];
+        $index .= '-'.$server_id;
     }
 
     echo get_row_response_action(
-        $response,
-        $response_id,
-        $end,
+        $event_response,
+        $event_id,
+        $server_id,
+        $response_parameters,
         $index
     );
 
@@ -1344,34 +1330,31 @@ if ($perform_event_response === true) {
         return;
     }
 
-    $target = get_parameter('target', '');
-    $response_id = get_parameter('response_id');
+    $response_id = (int) get_parameter('response_id', 0);
     $event_id = (int) get_parameter('event_id');
     $server_id = (int) get_parameter('server_id', 0);
-    $response = json_decode(
-        io_safe_output(
-            get_parameter('response', '')
-        ),
+    $response_parameters = (array) json_decode(
+        io_safe_output(get_parameter('response_parameters', '')),
         true
     );
 
-    $event_response = $response;
+    $event_response = db_get_row(
+        'tevent_response',
+        'id',
+        $response_id
+    );
     if (empty($event_response) === true) {
         echo __('No data');
         return;
     }
 
-    $command = $event_response['target'];
-
-    // Prevent OS command injection.
-    $prev_command = get_events_get_response_target($event_id, $event_response, $server_id);
-
-    if ($command !== $prev_command) {
-        echo __('unauthorized');
-        return;
-    }
-
-    $command_timeout = ($event_response !== false) ? $event_response['command_timeout'] : 90;
+    $command = get_events_get_response_target(
+        $event_id,
+        $event_response,
+        $server_id,
+        $response_parameters
+    );
+    $command_timeout = (empty($event_response['command_timeout']) === false) ? $event_response['command_timeout'] : 90;
     if (enterprise_installed() === true) {
         if ($event_response !== false
             && (int) $event_response['server_to_exec'] !== 0
@@ -1470,21 +1453,33 @@ if ($dialogue_event_response) {
         return;
     }
 
-    $event_id = get_parameter('event_id');
-    $response_id = get_parameter('response_id');
-    $command = get_parameter('target');
-    $event_response = json_decode(
-        io_safe_output(
-            get_parameter('response', '')
-        ),
+    $event_id = (int) get_parameter('event_id', 0);
+    $response_id = (int) get_parameter('response_id', 0);
+    $server_id = (int) get_parameter('server_id', 0);
+    $response_parameters = (array) json_decode(
+        io_safe_output(get_parameter('response_parameters', '')),
         true
     );
 
+    $event_response = db_get_row(
+        'tevent_response',
+        'id',
+        $response_id
+    );
+    $command = get_events_get_response_target(
+        $event_id,
+        $event_response,
+        $server_id,
+        $response_parameters
+    );
+
     switch ($event_response['type']) {
         case 'command':
             echo get_row_response_action(
                 $event_response,
-                $response_id
+                $event_id,
+                $server_id,
+                $response_parameters
             );
         break;
 
diff --git a/pandora_console/include/api.php b/pandora_console/include/api.php
index 00119668e6..6988a32536 100644
--- a/pandora_console/include/api.php
+++ b/pandora_console/include/api.php
@@ -83,7 +83,7 @@ $apiPassword = io_output_password(
 $apiTokenValid = false;
 // Try getting bearer token from header.
 // TODO. Getting token from url will be removed.
-$apiToken = (string) getBearerToken();
+$apiToken = (string) io_safe_input(getBearerToken());
 if (empty($apiToken) === true) {
     // Legacy user/pass token.
     // TODO. Revome in future.
diff --git a/pandora_console/include/functions_events.php b/pandora_console/include/functions_events.php
index 5ed43041d9..0b21727b14 100644
--- a/pandora_console/include/functions_events.php
+++ b/pandora_console/include/functions_events.php
@@ -631,7 +631,10 @@ function events_update_status($id_evento, $status, $filter=null)
         break;
     }
 
-    $result = db_process_sql($update_sql);
+    $result = false;
+    if (empty($update_sql) === false) {
+        $result = db_process_sql($update_sql);
+    }
 
     if ($result !== false) {
         switch ($status) {
@@ -3827,8 +3830,7 @@ function events_get_response_target(
     array $event_response,
     ?array $response_parameters=null,
     ?int $server_id=0,
-    ?string $server_name='',
-    ?string $target_metaconsole=''
+    ?string $server_name=''
 ) {
     global $config;
 
@@ -3842,9 +3844,6 @@ function events_get_response_target(
 
     $event = db_get_row('tevento', 'id_evento', $event_id);
     $target = io_safe_output(db_get_value('target', 'tevent_response', 'id', $event_response['id']));
-    if (empty($target) === true && $target_metaconsole !== '') {
-        $target = io_safe_output($target_metaconsole);
-    }
 
     // Replace parameters response.
     if (isset($response_parameters) === true
@@ -5994,9 +5993,10 @@ function events_get_criticity_class($criticity)
  */
 function get_row_response_action(
     array $event_response,
-    ?int $response_id,
-    $end=false,
-    $index=null
+    ?int $id_event,
+    ?int $server_id,
+    ?array $response_parameters=[],
+    ?string $index=null
 ) {
     $output = '<div class="container-massive-events-response-cell">';
     $display_command = (bool) $event_response['display_command'];
@@ -6005,7 +6005,7 @@ function get_row_response_action(
     // String command.
     $output .= '<div class="container-massive-events-response-command">';
     $output .= '<b>';
-    $output .= __('Event # %d', $event_response['event_id']);
+    $output .= __('Event # %d', $id_event);
     if (empty($command_str) === false) {
         $output .= ' ';
         $output .= __('Executing command: ');
@@ -6028,11 +6028,18 @@ function get_row_response_action(
 
     // Butom.
     $output .= '<div id="re_exec_command'.$index.'" style="display:none" class="container-massive-events-response-execute">';
+    $info = [
+        'response_id'         => $event_response['id'],
+        'server_id'           => $server_id,
+        'event_id'            => $id_event,
+        'response_parameters' => $response_parameters,
+    ];
+
     $output .= html_print_button(
         __('Execute again'),
         'btn_str',
         false,
-        'perform_response("'.base64_encode(json_encode($event_response)).'",'.$response_id.',"'.trim($index).'")',
+        'perform_response("'.base64_encode(json_encode($info)).'","'.trim($index).'")',
         [
             'icon' => 'next',
             'mode' => 'mini secondary',
@@ -6063,13 +6070,8 @@ function get_events_get_response_target(
     $response_parameters=[]
 ) {
     try {
-        $target_metaconsole = '';
-        if (is_metaconsole() === true
-            && $server_id > 0
-        ) {
-            $target_metaconsole = io_safe_output(db_get_value('target', 'tevent_response', 'id', $event_response['id']));
+        if (is_metaconsole() === true && $server_id > 0) {
             $node = new Node($server_id);
-            $node->connect();
         }
 
         return events_get_response_target(
@@ -6077,24 +6079,10 @@ function get_events_get_response_target(
             $event_response,
             $response_parameters,
             $server_id,
-            ($server_id !== 0) ? $node->server_name() : 'Metaconsole',
-            $target_metaconsole
+            ($server_id !== 0) ? $node->server_name() : 'Metaconsole'
         );
     } catch (\Exception $e) {
-        // Unexistent agent.
-        if (is_metaconsole() === true
-            && $server_id > 0
-        ) {
-            $node->disconnect();
-        }
-
         return '';
-    } finally {
-        if (is_metaconsole() === true
-            && $server_id > 0
-        ) {
-            $node->disconnect();
-        }
     }
 }
 
diff --git a/pandora_console/include/javascript/pandora_events.js b/pandora_console/include/javascript/pandora_events.js
index 2d7f5b0fca..2bc2c908ab 100644
--- a/pandora_console/include/javascript/pandora_events.js
+++ b/pandora_console/include/javascript/pandora_events.js
@@ -143,7 +143,14 @@ function execute_response(event_id, server_id) {
       if (response["type"] == "url" && response["new_window"] == 1) {
         window.open(response["target"], "_blank");
       } else {
-        show_response_dialog(response_id, response);
+        var data = {};
+        data.response_id = response_id;
+        data.server_id = server_id;
+        data.event_id = event_id;
+        data.response_parameters = response_parameters;
+        data.modal_width = response["modal_width"];
+        data.modal_height = response["modal_height"];
+        show_response_dialog(data);
       }
     }
   });
@@ -173,12 +180,10 @@ function execute_response_massive(events, response_id, response_parameters) {
 
       // Convert to array.
       var array_data = Object.entries(data.event_response_targets);
-      var total_count = array_data.length;
 
       // Each input checkeds.
       array_data.forEach(function(element, index) {
         var id = element[0];
-        var target = element[1].target;
         var meta = $("#hidden-meta").val();
         var event_id = id;
         var server_id = 0;
@@ -188,25 +193,22 @@ function execute_response_massive(events, response_id, response_parameters) {
           server_id = split_id[1];
         }
 
-        var end = 0;
-        if (total_count - 1 === index) {
-          end = 1;
-        }
-
-        var response = data.event_response;
-        response["event_id"] = event_id;
-        response["server_id"] = server_id;
-        response["target"] = target;
-        if (response["type"] == "url" && response["new_window"] == 1) {
-          window.open(response["target"], "_blank");
+        if (
+          data.event_response["type"] == "url" &&
+          data.event_response["new_window"] == 1
+        ) {
+          window.open(data.event_response["target"], "_blank");
         } else {
           var params = [];
           params.push({ name: "page", value: "include/ajax/events" });
           params.push({ name: "get_row_response_action", value: 1 });
           params.push({ name: "response_id", value: response_id });
-          params.push({ name: "server_id", value: response.server_id });
-          params.push({ name: "end", value: end });
-          params.push({ name: "response", value: JSON.stringify(response) });
+          params.push({ name: "server_id", value: server_id });
+          params.push({ name: "event_id", value: event_id });
+          params.push({
+            name: "response_parameters",
+            value: response_parameters
+          });
 
           jQuery.ajax({
             data: params,
@@ -215,20 +217,17 @@ function execute_response_massive(events, response_id, response_parameters) {
             dataType: "html",
             success: function(data) {
               $(".container-massive-events-response").append(data);
-              response["event_id"] = event_id;
-              response["server_id"] = server_id;
-              response["target"] = target;
-
               var indexstr = event_id;
               if (meta != 0) {
                 indexstr += "-" + server_id;
               }
 
-              perform_response(
-                btoa(JSON.stringify(response)),
-                response_id,
-                indexstr
-              );
+              var info = {};
+              info.response_id = response_id;
+              info.server_id = server_id;
+              info.event_id = event_id;
+              info.response_parameters = JSON.parse(response_parameters);
+              perform_response(btoa(JSON.stringify(info)), indexstr);
             }
           });
         }
@@ -238,15 +237,17 @@ function execute_response_massive(events, response_id, response_parameters) {
 }
 
 //Show the modal window of an event response
-function show_response_dialog(response_id, response) {
+function show_response_dialog(info) {
   var params = [];
   params.push({ name: "page", value: "include/ajax/events" });
   params.push({ name: "dialogue_event_response", value: 1 });
-  params.push({ name: "event_id", value: response.event_id });
-  params.push({ name: "target", value: response.target });
-  params.push({ name: "response_id", value: response_id });
-  params.push({ name: "server_id", value: response.server_id });
-  params.push({ name: "response", value: JSON.stringify(response) });
+  params.push({ name: "event_id", value: info.event_id });
+  params.push({ name: "response_id", value: info.response_id });
+  params.push({ name: "server_id", value: info.server_id });
+  params.push({
+    name: "response_parameters",
+    value: JSON.stringify(info.response_parameters)
+  });
 
   var view = ``;
 
@@ -272,10 +273,10 @@ function show_response_dialog(response_id, response) {
           draggable: true,
           modal: false,
           open: function() {
-            perform_response(btoa(JSON.stringify(response)), response_id, "");
+            perform_response(btoa(JSON.stringify(info)));
           },
-          width: response["modal_width"],
-          height: response["modal_height"],
+          width: info.modal_width,
+          height: info.modal_height,
           buttons: []
         })
         .show();
@@ -284,26 +285,22 @@ function show_response_dialog(response_id, response) {
 }
 
 // Perform a response and put the output into a div
-function perform_response(response, response_id, index = "") {
+function perform_response(info, index = "") {
+  info = JSON.parse(atob(info));
   $("#re_exec_command" + index).hide();
   $("#response_loading_command" + index).show();
   $("#response_out" + index).html("");
 
-  try {
-    response = JSON.parse(atob(response));
-  } catch (e) {
-    console.error(e);
-    return;
-  }
-
   var params = [];
   params.push({ name: "page", value: "include/ajax/events" });
   params.push({ name: "perform_event_response", value: 1 });
-  params.push({ name: "target", value: response["target"] });
-  params.push({ name: "response_id", value: response_id });
-  params.push({ name: "event_id", value: response["event_id"] });
-  params.push({ name: "server_id", value: response["server_id"] });
-  params.push({ name: "response", value: JSON.stringify(response) });
+  params.push({ name: "response_id", value: info.response_id });
+  params.push({ name: "event_id", value: info.event_id });
+  params.push({ name: "server_id", value: info.server_id });
+  params.push({
+    name: "response_parameters",
+    value: JSON.stringify(info.response_parameters)
+  });
 
   jQuery.ajax({
     data: params,