Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
Lifecycle Timeline
3DescriptionCVE.org
Oinone Pamirs 7.0.0 contains a code execution vulnerability via ScriptRunner. The method ScriptRunner.run(String expression, String type, Map<String, Object> context) evaluates attacker-controlled script expressions through the underlying script engine without sandboxing or allowlist restrictions.
AnalysisAI
Remote attackers can execute arbitrary code on Oinone Pamirs 7.0.0 servers by sending malicious script expressions to the ScriptRunner.run() method, which evaluates untrusted input without sandboxing. The CVSS vector (AV:N/AC:L/PR:N/UI:N) confirms this is remotely exploitable without authentication against default configurations. No public exploit identified at time of analysis, but SSVC marks this as automatable with partial technical impact. EPSS data unavailable. The vulnerability enables both information disclosure (C:L) and integrity compromise (I:L) according to CVSS, creating a pathway for initial access and potential privilege escalation.
Technical ContextAI
This vulnerability stems from CWE-94 (Improper Control of Generation of Code, 'Code Injection'), a dangerous class where applications dynamically evaluate attacker-controlled input as executable code. The ScriptRunner component in Oinone Pamirs 7.0.0 accepts three parameters: a script expression string, a script type identifier, and a context map. It passes these directly to an underlying script engine (likely supporting multiple languages given the 'type' parameter) without implementing sandbox restrictions, input validation, or allowlist filtering. This architectural flaw allows arbitrary code execution within the application's security context. Common script engines in Java applications include JavaScript (Nashorn/GraalVM), Groovy, or Python (Jython), each capable of accessing system resources, executing OS commands, and manipulating application state when unsandboxed.
RemediationAI
Check the official vendor changelog at https://www.oinone.top/changelog for patched releases addressing CVE-2026-39052. Upstream fix available (PR/commit); released patched version not independently confirmed from provided references. If no patched version exists, implement immediate compensating controls: disable or remove the ScriptRunner component entirely if not business-critical; restrict network access to Pamirs instances using firewall rules to trusted IP ranges only (eliminates AV:N attack vector but creates operational overhead for remote administration); deploy web application firewall rules to block requests containing script syntax patterns in ScriptRunner endpoint parameters (incomplete protection due to encoding bypass potential); implement mandatory authentication with least-privilege access controls before ScriptRunner endpoints (converts PR:N to PR:L/H, significantly reducing attack surface). Monitor the GitHub repository at https://github.com/oinone/oinone-pamirs for security patches. Each workaround trades functionality or administrative burden for security: removing ScriptRunner eliminates dynamic scripting features, network restrictions complicate remote management, WAF rules may cause false positives, and adding authentication requires integration changes.
Same weakness CWE-94 – Code Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-30544
GHSA-64vw-hq5r-5qmj