PatchSiren cyber security CVE debrief
CVE-2026-39053 Oinone CVE debrief
CVE-2026-39053 documents an XML External Entity (XXE) vulnerability in Oinone Pamirs 7.0.0, published by NVD on 2026-05-15 and last modified on 2026-05-18. The issue resides in XStream-based XML parsing logic, where attacker-controlled XML passed to framework entry points such as PamirsXmlUtils.fromXML(...) or ViewXmlUtils.fromXML(...) can trigger unsafe XML processing. Successful exploitation may result in file disclosure or Server-Side Request Forgery (SSRF). The vulnerability is rated CVSS 3.1 6.5 (MEDIUM) with vector AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L. NVD lists the vulnerability status as Deferred. No Known Exploited Vulnerabilities (KEV) entry exists. The vendor field is marked low-confidence and flagged for review, with Oinone identified as a candidate based on reference domain analysis.
- Vendor
- Oinone
- Product
- Pamirs
- CVSS
- MEDIUM 6.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-15
- Original CVE updated
- 2026-05-18
- Advisory published
- 2026-05-15
- Advisory updated
- 2026-05-18
Who should care
Organizations running Oinone Pamirs 7.0.0 applications that process XML input from untrusted sources; security teams responsible for XXE and SSRF prevention; developers maintaining applications using XStream for XML deserialization.
Technical summary
The vulnerability exists in Oinone Pamirs 7.0.0's XStream-based XML parsing implementation. When untrusted XML is processed through PamirsXmlUtils.fromXML(...) or ViewXmlUtils.fromXML(...), the parser resolves external entities without adequate restrictions. This allows attackers to reference external DTDs or entities, potentially reading arbitrary files from the server filesystem or initiating requests to internal/external systems (SSRF). The CVSS 3.1 score of 6.5 reflects network accessibility, low attack complexity, and no required privileges or user interaction, with limited confidentiality impact and low availability impact.
Defensive priority
medium
Recommended defensive actions
- Review application code for usage of PamirsXmlUtils.fromXML and ViewXmlUtils.fromXML methods
- Upgrade XStream to a version with secure-by-default XML parsing or explicitly disable external entity processing
- Implement input validation and restrict XML parsing to expected schemas
- Monitor Oinone Pamirs changelog and security advisories for patched versions
- Conduct security review of XML deserialization endpoints for SSRF and file disclosure risks
Evidence notes
The CVE description identifies specific vulnerable methods (PamirsXmlUtils.fromXML, ViewXmlUtils.fromXML) and the underlying XStream library as the XXE vector. CVSS scoring and CWE-611 classification are sourced from official NVD metadata. Vendor attribution is preliminary based on reference domain candidate matching and requires verification.
Official resources
NVD published this CVE on 2026-05-15T15:16:51.613Z with a subsequent modification on 2026-05-18T17:44:03.697Z. The vulnerability status is Deferred per NVD records.