Skip to main content

Oinone Pamirs CVE-2026-39054

| EUVDEUVD-2026-30547 HIGH
Command Injection (CWE-77)
2026-05-15 cve@mitre.org GHSA-3vmq-hg3m-f8qq
7.3
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.3 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

3
Analysis Generated
May 15, 2026 - 18:00 vuln.today
CVSS changed
May 15, 2026 - 16:22 NVD
7.3 (HIGH)
CVE Published
May 15, 2026 - 15:16 nvd
UNKNOWN (no severity yet)

DescriptionCVE.org

Oinone Pamirs 7.0.0 contains a command injection vulnerability in CommandHelper.executeCommands. The method starts a shell process and writes attacker-controlled command strings directly to the process standard input without sanitization. In affected deployments, this can result in arbitrary operating system command execution.

AnalysisAI

Command injection in Oinone Pamirs 7.0.0 allows remote unauthenticated attackers to execute arbitrary OS commands through the CommandHelper.executeCommands method. The vulnerability stems from unsanitized command strings being passed directly to a shell process's standard input. With an EPSS score indicating moderate exploitation likelihood and SSVC assessment showing automatable attacks with total technical impact, this represents a significant risk despite no current KEV listing or confirmed active exploitation.

Technical ContextAI

The vulnerability exists in the CommandHelper.executeCommands method which creates a shell process and writes user-supplied input directly to the process's standard input stream without any sanitization or validation. This is a classic command injection vulnerability (CWE-77) where the application fails to neutralize special elements that could be interpreted as OS commands. The method appears to be part of the core Pamirs framework functionality, potentially affecting any deployment using this command execution feature.

RemediationAI

No vendor-released patch identified at time of analysis. The references point to the vendor's GitHub repository and changelog page, but do not indicate a specific fixed version. As immediate mitigation, disable or restrict access to any functionality that uses CommandHelper.executeCommands if possible. Implement strict input validation and sanitization for any user-supplied data that could reach this method. Consider deploying a Web Application Firewall (WAF) configured to block common command injection patterns, though this provides only partial protection. Monitor system logs for suspicious command execution patterns. Contact the vendor through their GitHub repository for patch availability and timeline.

Share

CVE-2026-39054 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy