Skip to main content

Oinone Pamirs CVE-2026-39053

| EUVDEUVD-2026-30548 MEDIUM
Improper Restriction of XML External Entity Reference (CWE-611)
2026-05-15 cve@mitre.org GHSA-8373-pwfj-665j
6.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
6.5 MEDIUM
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
Low

Lifecycle Timeline

3
Analysis Generated
May 15, 2026 - 23:30 vuln.today
CVSS changed
May 15, 2026 - 21:22 NVD
6.5 (MEDIUM)
CVE Published
May 15, 2026 - 15:16 nvd
UNKNOWN (no severity yet)

DescriptionCVE.org

Oinone Pamirs 7.0.0 contains an XML External Entity (XXE) issue in its XStream-based XML parsing logic. When attacker-controlled XML is passed to framework parsing entry points such as PamirsXmlUtils.fromXML(...) or ViewXmlUtils.fromXML(...), unsafe XML processing can lead to file disclosure or SSRF.

AnalysisAI

XML External Entity (XXE) injection in Oinone Pamirs 7.0.0 allows remote unauthenticated attackers to disclose local files or perform Server-Side Request Forgery (SSRF) attacks via malicious XML input to unsafe XStream parsing entry points (PamirsXmlUtils.fromXML, ViewXmlUtils.fromXML). The vulnerability has network attack vector with low complexity (CVSS:3.1 AV:N/AC:L/PR:N) and is automatable per SSVC framework, though no active exploitation or public POC has been confirmed at time of analysis. EPSS data not available; CISA KEV status: not listed.

Technical ContextAI

The vulnerability resides in Oinone Pamirs framework's XML parsing implementation using XStream library. XStream, when not configured with security restrictions, resolves XML External Entities by default, allowing XXE attacks (CWE-611). The affected parsing entry points PamirsXmlUtils.fromXML() and ViewXmlUtils.fromXML() accept attacker-controlled XML without proper entity resolution restrictions. XXE vulnerabilities occur when XML parsers process external entity references embedded in DOCTYPE declarations, enabling attackers to read arbitrary files via file:// protocol handlers or trigger SSRF via http:// handlers. Version 7.0.0 specifically identified as vulnerable; CPE data not provided in NVD records but EUVD references version information as not yet available, suggesting limited vendor disclosure.

RemediationAI

Upgrade to Oinone Pamirs version above 7.0.0 if vendor has released a patched version (check https://www.oinone.top/changelog for latest release notes). No specific fix version is independently confirmed in NVD or EUVD records as of this analysis. If patching is not immediately feasible, implement these compensating controls: (1) Configure XStream with NoTypePermission security framework via XStream.setupDefaultSecurity() method and explicitly allowlist required deserialization types - this prevents XXE entity resolution but may break legitimate XML processing requiring review of application XML schemas. (2) Deploy XML input validation at application entry points to reject DOCTYPE declarations entirely using regex filtering or SAX parser features - side effect is legitimate documents with DTDs will be rejected. (3) Apply network segmentation to restrict outbound connections from Pamirs application servers, blocking access to internal metadata endpoints (169.254.169.254) and sensitive internal services - limits SSRF impact but does not prevent file disclosure. (4) Enable Web Application Firewall rules to detect and block XXE attack patterns in XML payloads. Monitor vendor advisory channels and GitHub repository for security patches addressing XStream configuration in PamirsXmlUtils and ViewXmlUtils classes.

Share

CVE-2026-39053 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy