XML External Entity Vulnerability in Oinone Pamirs Product
CVE-2026-39053

6.5MEDIUM

Key Information:

Vendor: Oinone
Status: Pamirs
Vendor: CVE Published:; 15 May 2026

What is CVE-2026-39053?

Oinone Pamirs version 7.0.0 is vulnerable to an XML External Entity (XXE) issue within its XStream-based XML parsing logic. This vulnerability arises when XML data crafted by an attacker is processed through parsing endpoints, such as PamirsXmlUtils.fromXML(...) or ViewXmlUtils.fromXML(...). The compromised XML processing can potentially lead to unauthorized file disclosures or Server-Side Request Forgery (SSRF), exposing sensitive system data and network resources.

References

https://www.oinone.top/changelog

https://github.com/oinone/oinone-pamirs

https://gist.github.com/Misakim1/859c3eb9ced699089ee0747d...

CVSS V3.1

Score:

6.5

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

None

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 15, 2026
Vulnerability Reserved
Apr 6, 2026

CVE-2026-39053 Data

JSON