CVE-2026-39054
Published: 15 May 2026
Summary
CVE-2026-39054 is a high-severity Command Injection (CWE-77) vulnerability in Oinone Pamirs (inferred from references). Its CVSS base score is 7.3 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Command and Scripting Interpreter (T1059); ranked in the top 13.5% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
Deeper analysis
Oinone Pamirs version 7.0.0 is affected by a command injection vulnerability in the CommandHelper.executeCommands method. The code launches a shell process and passes attacker-supplied strings directly to its standard input without any sanitization or validation, enabling arbitrary operating system command execution. The issue is tracked as CWE-77 and carries a CVSS 3.1 score of 7.3 reflecting network-accessible, low-complexity exploitation that requires no authentication or user interaction.
An unauthenticated remote attacker can invoke the affected method with crafted input to execute arbitrary commands on the underlying operating system. Successful exploitation grants the ability to read, modify, or delete data and potentially pivot within the affected environment.
The associated GitHub repository and changelog reference provide the primary sources for version history and any subsequent updates, while a public gist illustrates the injection vector. The EPSS score has remained flat at 0.0280 with no observed increase since disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-30547
Vulnerability details
Oinone Pamirs 7.0.0 contains a command injection vulnerability in CommandHelper.executeCommands. The method starts a shell process and writes attacker-controlled command strings directly to the process standard input without sanitization. In affected deployments, this can result in arbitrary operating system command…
more
execution.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Direct command injection into shell process enables arbitrary OS command execution via Unix shell interpreter.
CVEs Like This One
Affected Assets
Mitigating Controls
No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.