CVE-2026-39054 - Vulnerability Details

- Command Injection Enables Arbitrary OS Execution in Oinone Pamirs 7.0.0

Description

Oinone Pamirs 7.0.0 contains a command injection vulnerability in CommandHelper.executeCommands. The method starts a shell process and writes attacker-controlled command strings directly to the process standard input without sanitization. In affected deployments, this can result in arbitrary operating system command execution.

Published: 2026-05-15

Score: 7.3 High

EPSS: n/a

KEV: No

Impact:

Action:

Analysis

Impact

The vulnerability is a command injection flaw in the CommandHelper.executeCommands method of Oinone Pamirs 7.0.0. The method launches a shell process and writes attacker-controlled command strings directly to the process standard input without any validation. Executing arbitrary OS commands can compromise the confidentiality, integrity, and availability of the affected system. This is a classic example of the Command Injection weakness, identified as CWE-77.

Affected Systems

Affected deployments include the Oinone Pamirs application version 7.0.0. No other vendor or product variants are listed, and the CNA has not provided additional affected versions. Administrators should confirm whether they are running this exact version and review any sub‑components that invoke the vulnerable executeCommands method.

Risk and Exploitability

The risk level is high because the bug allows unchecked command execution. The CVSS score for this vulnerability is 7.3, classifying it as high severity. While the EPSS score is not available and the vulnerability is not listed in the CISA KEV catalog, the absence of input sanitization suggests that exploitation is straightforward for anyone able to supply input to executeCommands. The most likely attack vector is through any unprotected functionality that forwards user data to this method, potentially allowing remote attackers if the interface is exposed. Due to the severe impact, immediate attention should be taken.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

n/a

affected

Version	Status	Constraints
`n/a`	affected	—

No data.

No data available yet.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade Oinone Pamirs to a patched version that removes the unsanitized command input or otherwise sanitizes arguments.
If an immediate upgrade is not possible, restrict access to the functionality that calls CommandHelper.executeCommands so that only trusted users or services can invoke it.
Implement input validation or use hardened libraries that reject arbitrary shell commands, ensuring that any strings passed to the shell process are properly escaped or parameterized.

Generated by OpenCVE AI on May 15, 2026 at 19:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Exploitation none

Automatable yes

Technical Impact total

References

Link	Providers
https://gist.github.com/Misakim1/859c3eb9ced699089ee0747dae9bedc1
https://github.com/oinone/oinone-pamirs
https://www.oinone.top/changelog

History

Fri, 15 May 2026 19:45:00 +0000

Type	Values Removed	Values Added
Title		Command Injection Enables Arbitrary OS Execution in Oinone Pamirs 7.0.0

Fri, 15 May 2026 18:15:00 +0000

Type	Values Removed	Values Added
Title	Command Injection in Oinone Pamirs Allowing Arbitrary OS Command Execution
Weaknesses	CWE-78

Fri, 15 May 2026 16:45:00 +0000

Type	Values Removed	Values Added
Title		Command Injection in Oinone Pamirs Allowing Arbitrary OS Command Execution
Weaknesses		CWE-78

Fri, 15 May 2026 16:15:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-77
Metrics		cvssV3_1 `{'score': 7.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L'}` ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

Fri, 15 May 2026 15:15:00 +0000

Type	Values Removed	Values Added
Description		Oinone Pamirs 7.0.0 contains a command injection vulnerability in CommandHelper.executeCommands. The method starts a shell process and writes attacker-controlled command strings directly to the process standard input without sanitization. In affected deployments, this can result in arbitrary operating system command execution.
References		https://gist.github.com/Misakim1/859c3eb9ced699089ee0747dae9bedc1 https://github.com/oinone/oinone-pamirs https://www.oinone.top/changelog

Subscriptions

No data.

MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2026-05-15T00:00:00.000Z

Updated: 2026-05-15T15:35:24.408Z

Reserved: 2026-04-06T00:00:00.000Z

Link: CVE-2026-39054

Vulnrichment

Updated: 2026-05-15T15:35:19.860Z

NVD

Status : Received

Published: 2026-05-15T15:16:51.753

Modified: 2026-05-15T16:16:14.763

Link: CVE-2026-39054

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-05-15T19:30:05Z

Weaknesses

CWE-77

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Exploitation none

Automatable yes

Technical Impact total

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object