Description
Oinone Pamirs 7.0.0 contains an XML External Entity (XXE) issue in its XStream-based XML parsing logic. When attacker-controlled XML is passed to framework parsing entry points such as PamirsXmlUtils.fromXML(...) or ViewXmlUtils.fromXML(...), unsafe XML processing can lead to file disclosure or SSRF.
Published: 2026-05-15
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Oinone Pamirs 7.0.0 contains an XML External Entity (XXE) weakness in its XStream‑based XML parsing, allowing attacker‑controlled XML to trigger processing of external entities. This can expose local files or cause the application to resolve and request arbitrary URLs, leading to file disclosure or Server‑Side Request Forgery. The underlying flaw is improper input validation when parsing XML, which can compromise confidentiality and trust boundaries.

Affected Systems

The vulnerability affects the Oinone Pamirs 7.0.0 release. No other products or vendors are listed as impacted in the available data.

Risk and Exploitability

The EPSS score is not reported and the vulnerability is not listed in the CISA KEV catalog, indicating a currently unknown exploitation probability. The CVSS score of 6.5 indicates a moderate severity. Because the flaw is triggered by passing crafted XML to specific framework parsing entry points (e.g., PamirsXmlUtils.fromXML or ViewXmlUtils.fromXML), an attacker would need remote or local access to an endpoint that accepts XML payloads. The impact could be significant if the application is exposed publicly or trusts untrusted XML input, but without an exploit score or documented active exploitation, the threat is considered moderate to high in environments that openly parse XML.

Generated by OpenCVE AI on May 15, 2026 at 22:27 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Oinone Pamirs to a patched version as released in the changelog on https://www.oinone.top/changelog.
  • Reconfigure the XStream parser to disallow external entity resolution or replace it with a safe XML parsing library that does not process external entities.
  • Segment the network so that the application cannot reach internal services or arbitrary URLs, reducing the risk of SSRF exploitation.

Generated by OpenCVE AI on May 15, 2026 at 22:27 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 15 May 2026 22:45:00 +0000

Type Values Removed Values Added
Title XML External Entity parsing vulnerability allowing file disclosure and SSRF in Oinone Pamirs 7.0.0

Fri, 15 May 2026 21:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 15 May 2026 16:45:00 +0000

Type Values Removed Values Added
Title XML External Entity parsing vulnerability allowing file disclosure and SSRF in Oinone Pamirs 7.0.0
Weaknesses CWE-611

Fri, 15 May 2026 15:15:00 +0000

Type Values Removed Values Added
Description Oinone Pamirs 7.0.0 contains an XML External Entity (XXE) issue in its XStream-based XML parsing logic. When attacker-controlled XML is passed to framework parsing entry points such as PamirsXmlUtils.fromXML(...) or ViewXmlUtils.fromXML(...), unsafe XML processing can lead to file disclosure or SSRF.
References

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-05-15T20:18:19.005Z

Reserved: 2026-04-06T00:00:00.000Z

Link: CVE-2026-39053

cve-icon Vulnrichment

Updated: 2026-05-15T20:18:15.365Z

cve-icon NVD

Status : Received

Published: 2026-05-15T15:16:51.613

Modified: 2026-05-15T21:16:35.503

Link: CVE-2026-39053

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-15T22:30:06Z

Weaknesses