Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L
Lifecycle Timeline
3DescriptionCVE.org
Oinone Pamirs 7.0.0 contains an XML External Entity (XXE) issue in its XStream-based XML parsing logic. When attacker-controlled XML is passed to framework parsing entry points such as PamirsXmlUtils.fromXML(...) or ViewXmlUtils.fromXML(...), unsafe XML processing can lead to file disclosure or SSRF.
AnalysisAI
XML External Entity (XXE) injection in Oinone Pamirs 7.0.0 allows remote unauthenticated attackers to disclose local files or perform Server-Side Request Forgery (SSRF) attacks via malicious XML input to unsafe XStream parsing entry points (PamirsXmlUtils.fromXML, ViewXmlUtils.fromXML). The vulnerability has network attack vector with low complexity (CVSS:3.1 AV:N/AC:L/PR:N) and is automatable per SSVC framework, though no active exploitation or public POC has been confirmed at time of analysis. EPSS data not available; CISA KEV status: not listed.
Technical ContextAI
The vulnerability resides in Oinone Pamirs framework's XML parsing implementation using XStream library. XStream, when not configured with security restrictions, resolves XML External Entities by default, allowing XXE attacks (CWE-611). The affected parsing entry points PamirsXmlUtils.fromXML() and ViewXmlUtils.fromXML() accept attacker-controlled XML without proper entity resolution restrictions. XXE vulnerabilities occur when XML parsers process external entity references embedded in DOCTYPE declarations, enabling attackers to read arbitrary files via file:// protocol handlers or trigger SSRF via http:// handlers. Version 7.0.0 specifically identified as vulnerable; CPE data not provided in NVD records but EUVD references version information as not yet available, suggesting limited vendor disclosure.
RemediationAI
Upgrade to Oinone Pamirs version above 7.0.0 if vendor has released a patched version (check https://www.oinone.top/changelog for latest release notes). No specific fix version is independently confirmed in NVD or EUVD records as of this analysis. If patching is not immediately feasible, implement these compensating controls: (1) Configure XStream with NoTypePermission security framework via XStream.setupDefaultSecurity() method and explicitly allowlist required deserialization types - this prevents XXE entity resolution but may break legitimate XML processing requiring review of application XML schemas. (2) Deploy XML input validation at application entry points to reject DOCTYPE declarations entirely using regex filtering or SAX parser features - side effect is legitimate documents with DTDs will be rejected. (3) Apply network segmentation to restrict outbound connections from Pamirs application servers, blocking access to internal metadata endpoints (169.254.169.254) and sensitive internal services - limits SSRF impact but does not prevent file disclosure. (4) Enable Web Application Firewall rules to detect and block XXE attack patterns in XML payloads. Monitor vendor advisory channels and GitHub repository for security patches addressing XStream configuration in PamirsXmlUtils and ViewXmlUtils classes.
Share
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-30548
GHSA-8373-pwfj-665j