Description
Oinone Pamirs 7.0.0 contains a code execution vulnerability via ScriptRunner. The method ScriptRunner.run(String expression, String type, Map<String, Object> context) evaluates attacker-controlled script expressions through the underlying script engine without sandboxing or allowlist restrictions.
Published: 2026-05-15
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Oinone Pamirs 7.0.0 contains a vulnerability where the ScriptRunner.run method evaluates attacker‑controlled script expressions without any sandbox or allowlist restrictions. This flaw allows an adversary to inject and execute arbitrary code on the host system, compromising confidentiality, integrity, and availability by effectively gaining full control over the application process.

Affected Systems

The affected product is Oinone Pamirs version 7.0.0. No other versions or vendors are currently listed as impacted.

Risk and Exploitability

The vulnerability can be exploited by sending crafted expressions to the ScriptRunner API, which the underlying script engine executes with no restrictions. Because the code runs with the privileges of the application, successful exploitation leads to full remote code execution. The exploitation probability is not quantified by an EPSS score and the vulnerability is not yet listed in the CISA KEV catalog, but the inherent lack of input validation suggests a high likelihood of exploitation if the interface is reachable. The CVSS severity score of 6.5 indicates medium severity, yet the absence of sandboxing still permits arbitrary code execution with the application’s permissions.

Generated by OpenCVE AI on May 15, 2026 at 17:25 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Oinone Pamirs to a version that disables or hardens ScriptRunner.run or removes the exposed API.
  • If an update is not yet available, restrict access to any endpoint that calls ScriptRunner.run using network segmentation or firewall rules.
  • Validate all user supplied expressions through strict allowlists or prohibit their submission entirely.
  • Consider running the application in a containerized environment with restricted capabilities to limit damage from potential exploitation.

Generated by OpenCVE AI on May 15, 2026 at 17:25 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 15 May 2026 17:45:00 +0000

Type Values Removed Values Added
Title Code Execution via Unrestricted ScriptRunner in Oinone Pamirs 7.0.0

Fri, 15 May 2026 16:45:00 +0000

Type Values Removed Values Added
Title Code Execution via Unrestricted ScriptRunner in Oinone Pamirs 7.0.0

Fri, 15 May 2026 16:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-94
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 15 May 2026 15:15:00 +0000

Type Values Removed Values Added
Description Oinone Pamirs 7.0.0 contains a code execution vulnerability via ScriptRunner. The method ScriptRunner.run(String expression, String type, Map<String, Object> context) evaluates attacker-controlled script expressions through the underlying script engine without sandboxing or allowlist restrictions.
References

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-05-15T15:32:09.988Z

Reserved: 2026-04-06T00:00:00.000Z

Link: CVE-2026-39052

cve-icon Vulnrichment

Updated: 2026-05-15T15:32:05.721Z

cve-icon NVD

Status : Received

Published: 2026-05-15T15:16:51.490

Modified: 2026-05-15T16:16:14.617

Link: CVE-2026-39052

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-15T17:30:04Z

Weaknesses