PatchSiren cyber security CVE debrief
CVE-2026-8734 Oinone CVE debrief
CVE-2026-8734 describes a remote SQL injection issue in Oinone Pamirs up to 7.2.0, specifically in RSQLToSQLNodeConnector.makeVariable within the queryListByWrapper interface. The source record says the issue was publicly disclosed and that the vendor was contacted early but did not respond. The NVD record classifies the case as medium severity (CVSS 5.5) with low impact on confidentiality, integrity, and availability.
- Vendor
- Oinone
- Product
- Pamirs
- CVSS
- MEDIUM 5.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-17
- Original CVE updated
- 2026-05-18
- Advisory published
- 2026-05-17
- Advisory updated
- 2026-05-18
Who should care
Security teams, application owners, and developers responsible for Oinone Pamirs deployments up to 7.2.0, especially where the queryListByWrapper interface is reachable from untrusted clients or exposed to the internet.
Technical summary
The vulnerability is a SQL injection flaw triggered through the RSQLToSQLNodeConnector.makeVariable function in the queryListByWrapper interface. The CNA/NVD metadata maps the weakness to CWE-89 and CWE-74, and the CVSS vector indicates network attackability without privileges or user interaction. Because the issue is publicly disclosed, exposed deployments should be treated as higher urgency than the base CVSS score alone might suggest.
Defensive priority
Medium overall, but priority should be raised to high for any internet-facing or externally reachable deployment of affected versions.
Recommended defensive actions
- Identify whether Oinone Pamirs up to 7.2.0 is in use, with special attention to the queryListByWrapper interface.
- Restrict exposure of the affected interface to trusted networks or authenticated administrative paths until remediation is confirmed.
- Review any input paths that reach RSQLToSQLNodeConnector.makeVariable and ensure they are validated and safely parameterized before constructing SQL.
- Apply vendor guidance or an updated release when available, and verify the fix in a staging environment before production rollout.
- Monitor database and application logs for unusual query patterns or unexpected errors that could indicate attempted abuse.
Evidence notes
Source material identifies CVE-2026-8734 as a remotely reachable SQL injection in Oinone Pamirs up to 7.2.0, with the affected function named as RSQLToSQLNodeConnector.makeVariable in the queryListByWrapper interface. The NVD metadata includes CWE-89 and CWE-74 and a CVSS 4.0 vector consistent with network-based, no-auth exploitation. The vendor identity is not strongly normalized in the supplied corpus, so the product naming should be treated as source-reported rather than independently confirmed. The record also states the exploit was publicly disclosed and that the vendor did not respond to early contact.
Official resources
The supplied source description says the exploit has been publicly disclosed and that the vendor was contacted early but did not respond.