Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
Lifecycle Timeline
3DescriptionCVE.org
Oinone Pamirs 7.0.0 contains a command injection vulnerability in CommandHelper.executeCommands. The method starts a shell process and writes attacker-controlled command strings directly to the process standard input without sanitization. In affected deployments, this can result in arbitrary operating system command execution.
AnalysisAI
Command injection in Oinone Pamirs 7.0.0 allows remote unauthenticated attackers to execute arbitrary OS commands through the CommandHelper.executeCommands method. The vulnerability stems from unsanitized command strings being passed directly to a shell process's standard input. With an EPSS score indicating moderate exploitation likelihood and SSVC assessment showing automatable attacks with total technical impact, this represents a significant risk despite no current KEV listing or confirmed active exploitation.
Technical ContextAI
The vulnerability exists in the CommandHelper.executeCommands method which creates a shell process and writes user-supplied input directly to the process's standard input stream without any sanitization or validation. This is a classic command injection vulnerability (CWE-77) where the application fails to neutralize special elements that could be interpreted as OS commands. The method appears to be part of the core Pamirs framework functionality, potentially affecting any deployment using this command execution feature.
RemediationAI
No vendor-released patch identified at time of analysis. The references point to the vendor's GitHub repository and changelog page, but do not indicate a specific fixed version. As immediate mitigation, disable or restrict access to any functionality that uses CommandHelper.executeCommands if possible. Implement strict input validation and sanitization for any user-supplied data that could reach this method. Consider deploying a Web Application Firewall (WAF) configured to block common command injection patterns, though this provides only partial protection. Monitor system logs for suspicious command execution patterns. Contact the vendor through their GitHub repository for patch availability and timeline.
Same weakness CWE-77 – Command Injection
View allSame technique Command Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-30547
GHSA-3vmq-hg3m-f8qq