VYPR
Vendor

Oinone

Products
1
CVEs
6
Across products
6
Status
Private

Products

1

Recent CVEs

6
  • CVE-2026-39054HigMay 15, 2026
    risk 0.48cvss 7.3epss 0.01

    Oinone Pamirs 7.0.0 contains a command injection vulnerability in CommandHelper.executeCommands. The method starts a shell process and writes attacker-controlled command strings directly to the process standard input without sanitization. In affected deployments, this can result…

  • CVE-2026-8734HigMay 17, 2026
    risk 0.47cvss 7.3epss 0.00

    A vulnerability was determined in Oinone Pamirs up to 7.2.0. Affected by this issue is the function RSQLToSQLNodeConnector.makeVariable of the component queryListByWrapper Interface. This manipulation causes sql injection. The attack can be initiated remotely. The exploit has…

  • CVE-2026-39053MedMay 15, 2026
    risk 0.42cvss 6.5epss 0.00

    Oinone Pamirs 7.0.0 contains an XML External Entity (XXE) issue in its XStream-based XML parsing logic. When attacker-controlled XML is passed to framework parsing entry points such as PamirsXmlUtils.fromXML(...) or ViewXmlUtils.fromXML(...), unsafe XML processing can lead to…

  • CVE-2026-39052MedMay 15, 2026
    risk 0.42cvss 6.5epss 0.00

    Oinone Pamirs 7.0.0 contains a code execution vulnerability via ScriptRunner. The method ScriptRunner.run(String expression, String type, Map<String, Object> context) evaluates attacker-controlled script expressions through the underlying script engine without sandboxing or…

  • CVE-2026-8735MedMay 17, 2026
    risk 0.41cvss 6.3epss 0.00

    A vulnerability was identified in Oinone Pamirs up to 7.2.0. This affects the function JsonUtils.parseMap of the file PamirsParserConfig.java of the component appConfigQuery Interface. Such manipulation leads to deserialization. The attack can be launched remotely. The exploit…

  • CVE-2026-8736MedMay 17, 2026
    risk 0.27cvss 4.1epss 0.00

    A security flaw has been discovered in Oinone Pamirs up to 7.2.0. This vulnerability affects the function request.getParameter of the file LocalFileClient.java of the component RestController. Performing a manipulation of the argument uniqueFileName results in path traversal.…