CVE-2026-8735 Oinone CVE debrief

Who should care

Organizations running Oinone Pamirs up to 7.2.0, especially any deployment exposing the appConfigQuery interface or relying on JsonUtils.parseMap handling of untrusted input. Security teams monitoring for public exploit activity should also treat this as relevant even with the low CVSS score.

Technical summary

The NVD record attributes the issue to incorrect handling that leads to deserialization in JsonUtils.parseMap within PamirsParserConfig.java. The CNA-supplied CVSS 4.0 vector indicates network attackability with low attack complexity, no user interaction, and low privileges required. The mapped weakness types are CWE-20 and CWE-502, which align with improper input handling and unsafe deserialization patterns.

Defensive priority

Medium for exposed Pamirs deployments, despite the low CVSS score, because the issue is remotely reachable and has a public exploit referenced in the source materials. Prioritize if the appConfigQuery interface is reachable from untrusted networks or if the product is used in higher-trust internal environments where deserialization abuse could still matter.

Recommended defensive actions

• Identify all Oinone Pamirs deployments and confirm whether any instance is at version 7.2.0 or earlier.
• Review exposure of the appConfigQuery interface and restrict access to trusted networks or authenticated administrators where possible.
• Validate whether application traffic reaches JsonUtils.parseMap with attacker-controlled or externally influenced data.
• Apply vendor guidance or upgrade to a fixed release if one is available; if no fix is available, use compensating controls and monitor closely.
• Add detection for unusual requests and unexpected parsing failures around the affected interface and code path.
• Track the official CVE and NVD entries for updates, especially if the record status changes from received to a fully analyzed state.

Evidence notes

This debrief is based only on the supplied NVD/CVE material and referenced source links. The source item states that the issue affects Oinone Pamirs up to 7.2.0, that it involves JsonUtils.parseMap in PamirsParserConfig.java, that the attack can be launched remotely, that an exploit is publicly available and may be used, and that the vendor did not respond to early contact. NVD metadata lists the weakness types as CWE-20 and CWE-502 and provides a CVSS v4.0 vector with network reachability, low attack complexity, no user interaction, and low privileges required. Vendor/product identification is low-confidence in the supplied corpus, so the product name should be treated carefully outside the stated Oinone Pamirs context.

Official resources