These pages are published after PatchSiren validates generated defensive summaries against stored public CVE and source evidence.
CVE-2026-8736 is reported as a path traversal issue in Oinone Pamirs up to version 7.2.0. The flaw is described in LocalFileClient.java within the RestController component, where manipulation of the uniqueFileName argument can lead to traversal outside the intended path. The source record also says a public exploit was released, and NVD assigns a low-severity CVSS 4.0 vector with physical access and low privileges.
CVE-2026-8735 describes a remote deserialization flaw in Oinone Pamirs up to version 7.2.0, affecting JsonUtils.parseMap in PamirsParserConfig for the appConfigQuery interface. The CVSS score is low, but the issue is still security-relevant because deserialization problems can lead to integrity and availability impact, and the source material says a public exploit is available. The vendor was reportedly c [truncated]
CVE-2026-8734 describes a remote SQL injection issue in Oinone Pamirs up to 7.2.0, specifically in RSQLToSQLNodeConnector.makeVariable within the queryListByWrapper interface. The source record says the issue was publicly disclosed and that the vendor was contacted early but did not respond. The NVD record classifies the case as medium severity (CVSS 5.5) with low impact on confidentiality, integrity, and [truncated]
CVE-2026-39054 is a high-severity command injection issue affecting Oinone Pamirs 7.0.0. According to the CVE description, CommandHelper.executeCommands starts a shell process and writes attacker-controlled command strings directly to standard input without sanitization. In affected deployments, that can lead to arbitrary operating system command execution. The record was published on 2026-05-15 and later [truncated]