PatchSiren cyber security CVE debrief
CVE-2026-39052 Oinone CVE debrief
Oinone Pamirs 7.0.0 contains a code execution vulnerability in the ScriptRunner component. The ScriptRunner.run(String expression, String type, Map<String, Object> context) method evaluates attacker-controlled script expressions through an underlying script engine without implementing sandboxing or allowlist restrictions. This allows remote attackers to execute arbitrary code by supplying malicious script expressions to the vulnerable method. The vulnerability has a CVSS 3.1 score of 6.5 (MEDIUM severity) with the vector AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N, indicating network accessibility with low attack complexity, no privileges required, no user interaction, and impacts to confidentiality and integrity. The weakness is classified as CWE-94 (Improper Control of Generation of Code). The CVE was published on 2026-05-15 and last modified on 2026-05-18. The NVD entry currently shows a status of 'Deferred'. No known exploitation in ransomware campaigns has been documented, and the vulnerability is not listed in CISA's Known Exploited Vulnerabilities catalog.
- Vendor
- Oinone
- Product
- Oinone Pamirs
- CVSS
- MEDIUM 6.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-15
- Original CVE updated
- 2026-05-18
- Advisory published
- 2026-05-15
- Advisory updated
- 2026-05-18
Who should care
Organizations running Oinone Pamirs 7.0.0 with exposed ScriptRunner functionality; security teams responsible for code injection prevention; developers implementing script evaluation capabilities in Java applications
Technical summary
The ScriptRunner component in Oinone Pamirs 7.0.0 exposes a run() method that accepts arbitrary script expressions and evaluates them through an underlying script engine. The absence of sandboxing or allowlist restrictions enables attackers to inject and execute malicious code. The vulnerability is remotely exploitable without authentication and affects confidentiality and integrity of affected systems.
Defensive priority
medium
Recommended defensive actions
- Review and restrict access to ScriptRunner.run() method implementations in Oinone Pamirs 7.0.0 deployments
- Implement input validation and allowlist restrictions for script expressions passed to ScriptRunner
- Apply sandboxing controls to the underlying script engine used by ScriptRunner
- Monitor for security updates from Oinone project maintainers via the official changelog
- Assess application logs for unexpected script execution patterns indicative of exploitation attempts
Evidence notes
Vulnerability description sourced from official CVE record and NVD entry. CVSS vector and score confirmed from NVD metadata. CWE-94 classification from NVD weaknesses data. Vendor identification derived from reference domain candidate 'Oinone' with low confidence; vendor name marked as 'Unknown Vendor' pending verification. Product version 7.0.0 specified in CVE description. NVD status 'Deferred' noted from source metadata.
Official resources
public