{"api_version":"1","generated_at":"2026-05-18T03:58:12+00:00","cve":"CVE-2026-8735","urls":{"html":"https://cve.report/CVE-2026-8735","api":"https://cve.report/api/cve/CVE-2026-8735.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2026-8735","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2026-8735"},"summary":{"title":"Oinone Pamirs appConfigQuery PamirsParserConfig.java JsonUtils.parseMap deserialization","description":"A vulnerability was identified in Oinone Pamirs up to 7.2.0. This affects the function JsonUtils.parseMap of the file PamirsParserConfig.java of the component appConfigQuery Interface. Such manipulation leads to deserialization. The attack can be launched remotely. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way.","state":"PUBLISHED","assigner":"VulDB","published_at":"2026-05-17 06:16:20","updated_at":"2026-05-17 06:16:20"},"problem_types":["CWE-20","CWE-502","CWE-502 Deserialization","CWE-20 Improper Input Validation"],"metrics":[{"version":"4.0","source":"cna@vuldb.com","type":"Secondary","score":"2.1","severity":"LOW","vector":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","data":{"version":"4.0","vectorString":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","baseScore":2.1,"baseSeverity":"LOW","attackVector":"NETWORK","attackComplexity":"LOW","attackRequirements":"NONE","privilegesRequired":"LOW","userInteraction":"NONE","vulnConfidentialityImpact":"LOW","vulnIntegrityImpact":"LOW","vulnAvailabilityImpact":"LOW","subConfidentialityImpact":"NONE","subIntegrityImpact":"NONE","subAvailabilityImpact":"NONE","exploitMaturity":"PROOF_OF_CONCEPT","confidentialityRequirement":"NOT_DEFINED","integrityRequirement":"NOT_DEFINED","availabilityRequirement":"NOT_DEFINED","modifiedAttackVector":"NOT_DEFINED","modifiedAttackComplexity":"NOT_DEFINED","modifiedAttackRequirements":"NOT_DEFINED","modifiedPrivilegesRequired":"NOT_DEFINED","modifiedUserInteraction":"NOT_DEFINED","modifiedVulnConfidentialityImpact":"NOT_DEFINED","modifiedVulnIntegrityImpact":"NOT_DEFINED","modifiedVulnAvailabilityImpact":"NOT_DEFINED","modifiedSubConfidentialityImpact":"NOT_DEFINED","modifiedSubIntegrityImpact":"NOT_DEFINED","modifiedSubAvailabilityImpact":"NOT_DEFINED","Safety":"NOT_DEFINED","Automatable":"NOT_DEFINED","Recovery":"NOT_DEFINED","valueDensity":"NOT_DEFINED","vulnerabilityResponseEffort":"NOT_DEFINED","providerUrgency":"NOT_DEFINED"}},{"version":"4.0","source":"CNA","type":"DECLARED","score":"5.3","severity":"MEDIUM","vector":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P","data":{"baseScore":5.3,"baseSeverity":"MEDIUM","vectorString":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P","version":"4.0"}},{"version":"3.1","source":"cna@vuldb.com","type":"Primary","score":"6.3","severity":"MEDIUM","vector":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L","data":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L","baseScore":6.3,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"LOW","integrityImpact":"LOW","availabilityImpact":"LOW"}},{"version":"3.1","source":"CNA","type":"DECLARED","score":"6.3","severity":"MEDIUM","vector":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R","data":{"baseScore":6.3,"baseSeverity":"MEDIUM","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R","version":"3.1"}},{"version":"3.0","source":"CNA","type":"DECLARED","score":"6.3","severity":"MEDIUM","vector":"CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R","data":{"baseScore":6.3,"baseSeverity":"MEDIUM","vectorString":"CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R","version":"3.0"}},{"version":"2.0","source":"cna@vuldb.com","type":"Secondary","score":"6.5","severity":"","vector":"AV:N/AC:L/Au:S/C:P/I:P/A:P","data":{"version":"2.0","vectorString":"AV:N/AC:L/Au:S/C:P/I:P/A:P","baseScore":6.5,"accessVector":"NETWORK","accessComplexity":"LOW","authentication":"SINGLE","confidentialityImpact":"PARTIAL","integrityImpact":"PARTIAL","availabilityImpact":"PARTIAL"}},{"version":"2.0","source":"CNA","type":"DECLARED","score":"6.5","severity":"","vector":"AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:ND/RC:UR","data":{"baseScore":6.5,"vectorString":"AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:ND/RC:UR","version":"2.0"}}],"references":[{"url":"https://github.com/SourByte05/SourByte-Lab/issues/13","name":"https://github.com/SourByte05/SourByte-Lab/issues/13","refsource":"cna@vuldb.com","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://vuldb.com/submit/809887","name":"https://vuldb.com/submit/809887","refsource":"cna@vuldb.com","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://vuldb.com/vuln/364323","name":"https://vuldb.com/vuln/364323","refsource":"cna@vuldb.com","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://vuldb.com/vuln/364323/cti","name":"https://vuldb.com/vuln/364323/cti","refsource":"cna@vuldb.com","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://www.cve.org/CVERecord?id=CVE-2026-8735","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-8735","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[{"source":"CNA","vendor":"Oinone","product":"Pamirs","version":"affected 7.0","platforms":[]},{"source":"CNA","vendor":"Oinone","product":"Pamirs","version":"affected 7.1","platforms":[]},{"source":"CNA","vendor":"Oinone","product":"Pamirs","version":"affected 7.2.0","platforms":[]}],"timeline":[{"source":"CNA","time":"2026-05-16T00:00:00.000Z","lang":"en","value":"Advisory disclosed"},{"source":"CNA","time":"2026-05-16T02:00:00.000Z","lang":"en","value":"VulDB entry created"},{"source":"CNA","time":"2026-05-16T12:35:17.000Z","lang":"en","value":"VulDB entry last update"}],"solutions":[],"workarounds":[],"exploits":[],"credits":[{"source":"CNA","value":"sourbyte (VulDB User)","lang":"en"},{"source":"CNA","value":"VulDB CNA Team","lang":"en"}],"nvd_cpes":[],"vendor_comments":[],"enrichments":{"kev":null,"epss":{"cve_year":"2026","cve_id":"8735","cve":"CVE-2026-8735","epss":"0.000410000","percentile":"0.123960000","score_date":"2026-05-17","updated_at":"2026-05-18 00:00:09"},"legacy_qids":[]},"source_records":{"cve_program":{"containers":{"cna":{"affected":[{"cpes":["cpe:2.3:a:oinone:pamirs:*:*:*:*:*:*:*:*"],"modules":["appConfigQuery Interface"],"product":"Pamirs","vendor":"Oinone","versions":[{"status":"affected","version":"7.0"},{"status":"affected","version":"7.1"},{"status":"affected","version":"7.2.0"}]}],"credits":[{"lang":"en","type":"reporter","value":"sourbyte (VulDB User)"},{"lang":"en","type":"coordinator","value":"VulDB CNA Team"}],"descriptions":[{"lang":"en","value":"A vulnerability was identified in Oinone Pamirs up to 7.2.0. This affects the function JsonUtils.parseMap of the file PamirsParserConfig.java of the component appConfigQuery Interface. Such manipulation leads to deserialization. The attack can be launched remotely. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way."}],"metrics":[{"cvssV4_0":{"baseScore":5.3,"baseSeverity":"MEDIUM","vectorString":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P","version":"4.0"}},{"cvssV3_1":{"baseScore":6.3,"baseSeverity":"MEDIUM","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R","version":"3.1"}},{"cvssV3_0":{"baseScore":6.3,"baseSeverity":"MEDIUM","vectorString":"CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R","version":"3.0"}},{"cvssV2_0":{"baseScore":6.5,"vectorString":"AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:ND/RC:UR","version":"2.0"}}],"problemTypes":[{"descriptions":[{"cweId":"CWE-502","description":"Deserialization","lang":"en","type":"CWE"}]},{"descriptions":[{"cweId":"CWE-20","description":"Improper Input Validation","lang":"en","type":"CWE"}]}],"providerMetadata":{"dateUpdated":"2026-05-17T05:15:10.410Z","orgId":"1af790b2-7ee1-4545-860a-a788eba489b5","shortName":"VulDB"},"references":[{"name":"VDB-364323 | Oinone Pamirs appConfigQuery PamirsParserConfig.java JsonUtils.parseMap deserialization","tags":["vdb-entry","technical-description"],"url":"https://vuldb.com/vuln/364323"},{"name":"VDB-364323 | CTI Indicators (IOB, IOC, IOA)","tags":["signature","permissions-required"],"url":"https://vuldb.com/vuln/364323/cti"},{"name":"Submit #809887 | Oinone  Oinone <= 7.2.0 Fastjson Remote Code Execution","tags":["third-party-advisory"],"url":"https://vuldb.com/submit/809887"},{"tags":["exploit","issue-tracking"],"url":"https://github.com/SourByte05/SourByte-Lab/issues/13"}],"timeline":[{"lang":"en","time":"2026-05-16T00:00:00.000Z","value":"Advisory disclosed"},{"lang":"en","time":"2026-05-16T02:00:00.000Z","value":"VulDB entry created"},{"lang":"en","time":"2026-05-16T12:35:17.000Z","value":"VulDB entry last update"}],"title":"Oinone Pamirs appConfigQuery PamirsParserConfig.java JsonUtils.parseMap deserialization"}},"cveMetadata":{"assignerOrgId":"1af790b2-7ee1-4545-860a-a788eba489b5","assignerShortName":"VulDB","cveId":"CVE-2026-8735","datePublished":"2026-05-17T05:15:10.410Z","dateReserved":"2026-05-16T10:30:05.343Z","dateUpdated":"2026-05-17T05:15:10.410Z","state":"PUBLISHED"},"dataType":"CVE_RECORD","dataVersion":"5.2"},"nvd":{"publishedDate":"2026-05-17 06:16:20","lastModifiedDate":"2026-05-17 06:16:20","problem_types":["CWE-20","CWE-502","CWE-502 Deserialization","CWE-20 Improper Input Validation"],"metrics":{"cvssMetricV40":[{"source":"cna@vuldb.com","type":"Secondary","cvssData":{"version":"4.0","vectorString":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","baseScore":2.1,"baseSeverity":"LOW","attackVector":"NETWORK","attackComplexity":"LOW","attackRequirements":"NONE","privilegesRequired":"LOW","userInteraction":"NONE","vulnConfidentialityImpact":"LOW","vulnIntegrityImpact":"LOW","vulnAvailabilityImpact":"LOW","subConfidentialityImpact":"NONE","subIntegrityImpact":"NONE","subAvailabilityImpact":"NONE","exploitMaturity":"PROOF_OF_CONCEPT","confidentialityRequirement":"NOT_DEFINED","integrityRequirement":"NOT_DEFINED","availabilityRequirement":"NOT_DEFINED","modifiedAttackVector":"NOT_DEFINED","modifiedAttackComplexity":"NOT_DEFINED","modifiedAttackRequirements":"NOT_DEFINED","modifiedPrivilegesRequired":"NOT_DEFINED","modifiedUserInteraction":"NOT_DEFINED","modifiedVulnConfidentialityImpact":"NOT_DEFINED","modifiedVulnIntegrityImpact":"NOT_DEFINED","modifiedVulnAvailabilityImpact":"NOT_DEFINED","modifiedSubConfidentialityImpact":"NOT_DEFINED","modifiedSubIntegrityImpact":"NOT_DEFINED","modifiedSubAvailabilityImpact":"NOT_DEFINED","Safety":"NOT_DEFINED","Automatable":"NOT_DEFINED","Recovery":"NOT_DEFINED","valueDensity":"NOT_DEFINED","vulnerabilityResponseEffort":"NOT_DEFINED","providerUrgency":"NOT_DEFINED"}}],"cvssMetricV31":[{"source":"cna@vuldb.com","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L","baseScore":6.3,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"LOW","integrityImpact":"LOW","availabilityImpact":"LOW"},"exploitabilityScore":2.8,"impactScore":3.4}],"cvssMetricV2":[{"source":"cna@vuldb.com","type":"Secondary","cvssData":{"version":"2.0","vectorString":"AV:N/AC:L/Au:S/C:P/I:P/A:P","baseScore":6.5,"accessVector":"NETWORK","accessComplexity":"LOW","authentication":"SINGLE","confidentialityImpact":"PARTIAL","integrityImpact":"PARTIAL","availabilityImpact":"PARTIAL"},"baseSeverity":"MEDIUM","exploitabilityScore":8,"impactScore":6.4,"acInsufInfo":false,"obtainAllPrivilege":false,"obtainUserPrivilege":false,"obtainOtherPrivilege":false,"userInteractionRequired":false}]},"configurations":[]},"legacy_mitre":{"record":{"CveYear":"2026","CveId":"8735","Ordinal":"1","Title":"Oinone Pamirs appConfigQuery PamirsParserConfig.java JsonUtils.p","CVE":"CVE-2026-8735","Year":"2026"},"notes":[{"CveYear":"2026","CveId":"8735","Ordinal":"1","NoteData":"A vulnerability was identified in Oinone Pamirs up to 7.2.0. This affects the function JsonUtils.parseMap of the file PamirsParserConfig.java of the component appConfigQuery Interface. Such manipulation leads to deserialization. The attack can be launched remotely. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way.","Type":"Description","Title":"Oinone Pamirs appConfigQuery PamirsParserConfig.java JsonUtils.p"}]}}}