Description
A vulnerability was determined in Oinone Pamirs up to 7.2.0. Affected by this issue is the function RSQLToSQLNodeConnector.makeVariable of the component queryListByWrapper Interface. This manipulation causes sql injection. The attack can be initiated remotely. The exploit has been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure but did not respond in any way.
Published: 2026-05-17
Score: 6.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A vulnerability exists in Oinone Pamirs versions up to 7.2.0. The flaw resides in the RSQLToSQLNodeConnector.makeVariable method of the queryListByWrapper interface, where user‑provided RSQL expressions are converted to raw SQL without proper sanitization, allowing an attacker to inject arbitrary SQL statements. If exploited, this could let the attacker read, modify, or delete data in the underlying database, potentially exposing sensitive information or disrupting application functionality.

Affected Systems

The affected product is Oinone Pamirs, available from the vendor Oinone. The vulnerable component is present in all releases up to version 7.2.0. No specific subcomponents or modules are listed beyond the queryListByWrapper interface. Systems running these versions and exposing the RSQL querying functionality are at risk.

Risk and Exploitability

The CVSS score of 6.9 indicates moderate severity, and the vulnerability is publicly disclosed, with no EPSS data available and not listed in CISA KEV. Exploitation requires remote access to the RSQL endpoint, making it practical for attackers with network reach. The lack of a vendor response further increases risk. Administrators should treat this as a non‑critical but actionable threat that could lead to data compromise if left unpatched.

Generated by OpenCVE AI on May 17, 2026 at 07:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Oinone Pamirs to any release that removes the unvalidated RSQL parsing code, or apply the vendor's official patch if one is available.
  • If an immediate upgrade is not possible, enforce strict input validation on the RSQL parameters, escaping or rejecting any suspicious SQL fragments before they reach the database layer.
  • Reduce the attack surface by disabling or firewall‑shunting the RSQL endpoint from public networks, ensuring only trusted internal services can submit queries.
  • Monitor database access logs for unusual query patterns or repeated failed login attempts, and investigate any anomalies promptly.

Generated by OpenCVE AI on May 17, 2026 at 07:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sun, 17 May 2026 06:15:00 +0000

Type Values Removed Values Added
Description A vulnerability was determined in Oinone Pamirs up to 7.2.0. Affected by this issue is the function RSQLToSQLNodeConnector.makeVariable of the component queryListByWrapper Interface. This manipulation causes sql injection. The attack can be initiated remotely. The exploit has been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure but did not respond in any way.
Title Oinone Pamirs queryListByWrapper RSQLToSQLNodeConnector.makeVariable sql injection
First Time appeared Oinone
Oinone pamirs
Weaknesses CWE-74
CWE-89
CPEs cpe:2.3:a:oinone:pamirs:*:*:*:*:*:*:*:*
Vendors & Products Oinone
Oinone pamirs
References
Metrics cvssV2_0

{'score': 7.5, 'vector': 'AV:N/AC:L/Au:N/C:P/I:P/A:P/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 7.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 7.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Oinone Pamirs
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-05-17T05:00:12.122Z

Reserved: 2026-05-16T10:29:54.291Z

Link: CVE-2026-8734

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-17T06:16:19.490

Modified: 2026-05-17T06:16:19.490

Link: CVE-2026-8734

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-17T17:00:24Z

Weaknesses