PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-8736 Oinone CVE debrief

CVE-2026-8736 is reported as a path traversal issue in Oinone Pamirs up to version 7.2.0. The flaw is described in LocalFileClient.java within the RestController component, where manipulation of the uniqueFileName argument can lead to traversal outside the intended path. The source record also says a public exploit was released, and NVD assigns a low-severity CVSS 4.0 vector with physical access and low privileges.

Vendor
Oinone
Product
Pamirs
CVSS
LOW 0.9
CISA KEV
Not listed in stored evidence
Original CVE published
2026-05-17
Original CVE updated
2026-05-18
Advisory published
2026-05-17
Advisory updated
2026-05-18

Who should care

Administrators, operators, and developers responsible for Oinone Pamirs deployments should review this CVE, especially if the affected file-handling component is enabled or if local/physical access to hosts is realistic.

Technical summary

The supplied record maps this issue to CWE-22 (path traversal). NVD’s CVSS 4.0 vector describes a physical-access scenario with low privileges and no user interaction, and the source description ties the issue to request.getParameter handling of uniqueFileName in LocalFileClient.java under the RestController component. The affected version range in the source description is Oinone Pamirs through 7.2.0.

Defensive priority

Low severity in the supplied scoring, but it should be reviewed promptly in any deployment that exposes the affected file-handling path or where local/physical access is plausible. The public-exploit claim increases the need to validate exposure and apply mitigations quickly if the product is in use.

Recommended defensive actions

  • Confirm whether Oinone Pamirs version 7.2.0 or earlier is deployed and whether the RestController/LocalFileClient path is reachable.
  • Inspect any code or configuration that uses uniqueFileName from request parameters and add strict allowlist plus canonical-path validation.
  • Apply a vendor fix or upgrade as soon as an affected version is available; if no patch is available, disable or restrict the affected functionality.
  • Restrict local and physical access to systems running the product and limit who can invoke the affected component.
  • Review logs and file-access telemetry for unusual path traversal attempts or unauthorized reads and writes.

Evidence notes

The debrief is based only on the supplied NVD record snapshot and the VulDB-linked references included in that record. The source data states: affected product Oinone Pamirs up to 7.2.0; component LocalFileClient.java in RestController; manipulation of uniqueFileName leads to path traversal; CWE-22; and a public exploit claim. NVD’s supplied CVSS 4.0 vector is CVSS:4.0/AV:P/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X. The vendor-response statement is source-reported and not independently validated here.

Official resources

The supplied record is dated 2026-05-17. It also states that the vendor was contacted early about the disclosure and did not respond; that detail is source-reported. The public-exploit claim is likewise source-reported and should be treated