Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
3DescriptionCVE.org
A vulnerability was determined in Oinone Pamirs up to 7.2.0. Affected by this issue is the function RSQLToSQLNodeConnector.makeVariable of the component queryListByWrapper Interface. This manipulation causes sql injection. The attack can be initiated remotely. The exploit has been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure but did not respond in any way.
AnalysisAI
SQL injection in Oinone Pamirs versions up to 7.2.0 allows remote unauthenticated attackers to read, modify, or delete database records via the queryListByWrapper interface. The RSQLToSQLNodeConnector.makeVariable function fails to properly sanitize input, enabling direct database manipulation. A publicly available proof-of-concept exploit exists (GitHub issue #12), and the vendor has not responded to disclosure attempts. EPSS data unavailable, not listed in CISA KEV. CVSS 5.5 (Medium) reflects confidentiality, integrity, and availability impacts all rated Low with network-accessible, low-complexity exploitation requiring no authentication.
Technical ContextAI
This is a classic SQL injection vulnerability (CWE-89) in Oinone Pamirs, a Java-based business process management framework. The vulnerable code resides in the RSQLToSQLNodeConnector.makeVariable function within the queryListByWrapper interface, which appears to handle dynamic SQL query construction. The function fails to implement proper input validation or parameterized queries when processing user-supplied data, allowing attackers to inject malicious SQL commands. The CPE identifier (cpe:2.3:a:oinone:pamirs) confirms this affects the Oinone vendor's Pamirs product line. SQL injection vulnerabilities occur when applications concatenate untrusted input directly into SQL statements rather than using prepared statements with bound parameters, enabling attackers to break out of intended query logic and execute arbitrary database commands.
RemediationAI
No vendor-released patch identified at time of analysis despite early disclosure attempts. Immediate compensating controls required: (1) Block external network access to the queryListByWrapper interface if possible - restricts attack surface but may break legitimate integrations; (2) Implement web application firewall (WAF) rules to detect and block SQL injection patterns targeting this endpoint - effective against known exploit signatures but bypassable with obfuscation; (3) Enforce strict input validation at application perimeter using allowlists for expected parameter formats - reduces injection surface but requires careful regex/validation logic to avoid bypasses; (4) Enable database query logging and monitoring for unusual patterns (UNION, OR 1=1, semicolons in unexpected contexts) - provides detection but not prevention. Organizations should urgently evaluate alternative products given vendor non-responsiveness. Monitor https://vuldb.com/vuln/364322 and vendor channels for future patch announcements. Each mitigation has performance overhead and potential for false positives requiring tuning.
Same weakness CWE-89 – SQL Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-30683
GHSA-5x3x-5qjx-cxrc