Skip to main content

Oinone Pamirs EUVDEUVD-2026-30544

| CVE-2026-39052 MEDIUM
Code Injection (CWE-94)
2026-05-15 cve@mitre.org GHSA-64vw-hq5r-5qmj
6.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
6.5 MEDIUM
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

3
Analysis Generated
May 15, 2026 - 17:33 vuln.today
CVSS changed
May 15, 2026 - 16:22 NVD
6.5 (MEDIUM)
CVE Published
May 15, 2026 - 15:16 nvd
UNKNOWN (no severity yet)

DescriptionCVE.org

Oinone Pamirs 7.0.0 contains a code execution vulnerability via ScriptRunner. The method ScriptRunner.run(String expression, String type, Map<String, Object> context) evaluates attacker-controlled script expressions through the underlying script engine without sandboxing or allowlist restrictions.

AnalysisAI

Remote attackers can execute arbitrary code on Oinone Pamirs 7.0.0 servers by sending malicious script expressions to the ScriptRunner.run() method, which evaluates untrusted input without sandboxing. The CVSS vector (AV:N/AC:L/PR:N/UI:N) confirms this is remotely exploitable without authentication against default configurations. No public exploit identified at time of analysis, but SSVC marks this as automatable with partial technical impact. EPSS data unavailable. The vulnerability enables both information disclosure (C:L) and integrity compromise (I:L) according to CVSS, creating a pathway for initial access and potential privilege escalation.

Technical ContextAI

This vulnerability stems from CWE-94 (Improper Control of Generation of Code, 'Code Injection'), a dangerous class where applications dynamically evaluate attacker-controlled input as executable code. The ScriptRunner component in Oinone Pamirs 7.0.0 accepts three parameters: a script expression string, a script type identifier, and a context map. It passes these directly to an underlying script engine (likely supporting multiple languages given the 'type' parameter) without implementing sandbox restrictions, input validation, or allowlist filtering. This architectural flaw allows arbitrary code execution within the application's security context. Common script engines in Java applications include JavaScript (Nashorn/GraalVM), Groovy, or Python (Jython), each capable of accessing system resources, executing OS commands, and manipulating application state when unsandboxed.

RemediationAI

Check the official vendor changelog at https://www.oinone.top/changelog for patched releases addressing CVE-2026-39052. Upstream fix available (PR/commit); released patched version not independently confirmed from provided references. If no patched version exists, implement immediate compensating controls: disable or remove the ScriptRunner component entirely if not business-critical; restrict network access to Pamirs instances using firewall rules to trusted IP ranges only (eliminates AV:N attack vector but creates operational overhead for remote administration); deploy web application firewall rules to block requests containing script syntax patterns in ScriptRunner endpoint parameters (incomplete protection due to encoding bypass potential); implement mandatory authentication with least-privilege access controls before ScriptRunner endpoints (converts PR:N to PR:L/H, significantly reducing attack surface). Monitor the GitHub repository at https://github.com/oinone/oinone-pamirs for security patches. Each workaround trades functionality or administrative burden for security: removing ScriptRunner eliminates dynamic scripting features, network restrictions complicate remote management, WAF rules may cause false positives, and adding authentication requires integration changes.

Share

EUVD-2026-30544 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy