Cyber Resilience

CVE-2026-39054

High

Published: 15 May 2026

Published
15 May 2026
Modified
18 May 2026
KEV Added
Patch
CVSS Score v3.1 7.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
EPSS Score 0.0280 86.5th percentile
Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-39054 is a high-severity Command Injection (CWE-77) vulnerability in Oinone Pamirs (inferred from references). Its CVSS base score is 7.3 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Command and Scripting Interpreter (T1059); ranked in the top 13.5% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

Deeper analysis

Oinone Pamirs version 7.0.0 is affected by a command injection vulnerability in the CommandHelper.executeCommands method. The code launches a shell process and passes attacker-supplied strings directly to its standard input without any sanitization or validation, enabling arbitrary operating system command execution. The issue is tracked as CWE-77 and carries a CVSS 3.1 score of 7.3 reflecting network-accessible, low-complexity exploitation that requires no authentication or user interaction.

An unauthenticated remote attacker can invoke the affected method with crafted input to execute arbitrary commands on the underlying operating system. Successful exploitation grants the ability to read, modify, or delete data and potentially pivot within the affected environment.

The associated GitHub repository and changelog reference provide the primary sources for version history and any subsequent updates, while a public gist illustrates the injection vector. The EPSS score has remained flat at 0.0280 with no observed increase since disclosure.

EU & UK References

Vulnerability details

Oinone Pamirs 7.0.0 contains a command injection vulnerability in CommandHelper.executeCommands. The method starts a shell process and writes attacker-controlled command strings directly to the process standard input without sanitization. In affected deployments, this can result in arbitrary operating system command…

more

execution.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1059 Command and Scripting Interpreter Execution
Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries.
T1059.004 Unix Shell Execution
Adversaries may abuse Unix shell commands and scripts for execution.
Why these techniques?

Direct command injection into shell process enables arbitrary OS command execution via Unix shell interpreter.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2025-25743Shared CWE-77
CVE-2025-50428Shared CWE-77
CVE-2025-66219Shared CWE-77
CVE-2025-59046Shared CWE-77
CVE-2026-41500Shared CWE-77
CVE-2025-54416Shared CWE-77
CVE-2026-40034Shared CWE-77
CVE-2025-67511Shared CWE-77
CVE-2024-8402Shared CWE-77
CVE-2026-23823Shared CWE-77

Affected Assets

Oinone
Pamirs
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References