Description
A vulnerability was identified in Oinone Pamirs up to 7.2.0. This affects the function JsonUtils.parseMap of the file PamirsParserConfig.java of the component appConfigQuery Interface. Such manipulation leads to deserialization. The attack can be launched remotely. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way.
Published: 2026-05-17
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The flaw resides in the JsonUtils.parseMap function within PamirsParserConfig.java of the Oinone Pamirs appConfigQuery component. This vulnerability aligns with CWE‑20 (Improper Input Validation) and CWE‑502 (Deserialization of Untrusted Data). An attacker can supply malicious JSON that is deserialized by the application, which may lead to unintended code execution depending on how the deserialization logic processes the data. The CVE notes that the exploit is publicly available and can be launched remotely, implying that it may not require local privileges, though this inference is based on the information provided.

Affected Systems

The affected product is Oinone Pamirs, versions up to and including 7.2.0. No other vendors or products are listed as impacted.

Risk and Exploitability

With a CVSS score of 5.3, the vulnerability represents moderate risk. The EPSS score is not available, and the issue is not listed in the CISA KEV catalog. Attackers can trigger the flaw remotely by sending crafted JSON to the appConfigQuery interface, potentially compromising confidentiality, integrity, and availability of the affected system.

Generated by OpenCVE AI on May 17, 2026 at 09:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to the latest Oinone Pamirs release that removes the deserialization path in PamirsParserConfig.java.
  • If an update is unavailable, restrict the appConfigQuery interface to trusted internal sources and validate all JSON input before deserialization.
  • Apply a safe JSON parsing library or serialization policy that rejects unknown types to mitigate the deserialization vector.
  • Monitor application logs for anomalous deserialization attempts and investigate any suspicious activity.

Generated by OpenCVE AI on May 17, 2026 at 09:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sun, 17 May 2026 06:15:00 +0000

Type Values Removed Values Added
Description A vulnerability was identified in Oinone Pamirs up to 7.2.0. This affects the function JsonUtils.parseMap of the file PamirsParserConfig.java of the component appConfigQuery Interface. Such manipulation leads to deserialization. The attack can be launched remotely. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way.
Title Oinone Pamirs appConfigQuery PamirsParserConfig.java JsonUtils.parseMap deserialization
First Time appeared Oinone
Oinone pamirs
Weaknesses CWE-20
CWE-502
CPEs cpe:2.3:a:oinone:pamirs:*:*:*:*:*:*:*:*
Vendors & Products Oinone
Oinone pamirs
References
Metrics cvssV2_0

{'score': 6.5, 'vector': 'AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 6.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 6.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Oinone Pamirs
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-05-17T05:15:10.410Z

Reserved: 2026-05-16T10:30:05.343Z

Link: CVE-2026-8735

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-17T06:16:20.680

Modified: 2026-05-17T06:16:20.680

Link: CVE-2026-8735

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-17T17:00:22Z

Weaknesses