CVE-2026-39053 Overview
CVE-2026-39053 is an XML External Entity (XXE) vulnerability [CWE-611] in Oinone Pamirs 7.0.0. The framework uses XStream-based XML parsing without disabling external entity resolution. Attacker-controlled XML passed to entry points such as PamirsXmlUtils.fromXML(...) and ViewXmlUtils.fromXML(...) is processed unsafely. An unauthenticated attacker can submit crafted XML over the network to trigger local file disclosure or Server-Side Request Forgery (SSRF) against internal services.
Critical Impact
Unauthenticated network attackers can read local files and reach internal endpoints through SSRF by submitting malicious XML to vulnerable Pamirs parsing entry points.
Affected Products
- Oinone Pamirs 7.0.0
- PamirsXmlUtils.fromXML(...) parsing entry point
- ViewXmlUtils.fromXML(...) parsing entry point
Discovery Timeline
- 2026-05-15 - CVE-2026-39053 published to NVD
- 2026-05-18 - Last updated in NVD database
Technical Details for CVE-2026-39053
Vulnerability Analysis
The vulnerability resides in Pamirs' XStream-based XML parsing logic. XStream supports XML deserialization, but its underlying parser must be configured to reject external entities and DTD declarations. Pamirs 7.0.0 leaves these protections off in its shared utility functions.
Any framework component that funnels untrusted input through PamirsXmlUtils.fromXML(...) or ViewXmlUtils.fromXML(...) inherits the flaw. Attackers exploit it by submitting XML containing a DOCTYPE declaration that references an external entity. The parser resolves that entity at processing time.
Resolving a file:// URI returns local file contents into the parsed document, leading to information disclosure. Resolving an http:// URI causes the server to issue outbound requests, enabling SSRF against cloud metadata services or internal-only applications. The Exploit Prediction Scoring System (EPSS) lists a probability of 0.066%.
Root Cause
The root cause is improper restriction of XML external entity references [CWE-611]. The XStream driver used by Pamirs does not disable DTD processing or external entity expansion. Input validation is delegated to the parser, which accepts entity declarations by default.
Attack Vector
Exploitation requires network access to an endpoint that forwards request bodies or parameters into the vulnerable fromXML utilities. No authentication or user interaction is required. The attacker supplies XML containing a malicious external entity reference and observes the response or out-of-band callbacks.
No verified public exploit code is available. For technical context, see the GitHub Gist Code Snippet referenced by the advisory and the GitHub PAMIRs Project source repository.
Detection Methods for CVE-2026-39053
Indicators of Compromise
- Inbound HTTP request bodies containing <!DOCTYPE or <!ENTITY declarations directed at Pamirs application endpoints.
- Outbound connections from Pamirs application servers to attacker-controlled hosts or to cloud metadata addresses such as 169.254.169.254.
- Application logs showing XStream or SAX parser errors referencing external entity resolution failures.
Detection Strategies
- Inspect HTTP traffic to Pamirs endpoints for XML payloads containing DTD or entity declarations.
- Monitor process-level network telemetry for unexpected outbound connections originating from the Java process hosting Pamirs.
- Search application logs for stack traces involving PamirsXmlUtils.fromXML or ViewXmlUtils.fromXML paired with I/O exceptions.
Monitoring Recommendations
- Alert on read access to sensitive files such as /etc/passwd, /etc/shadow, and application credential files by the Pamirs service account.
- Track DNS resolutions from Pamirs hosts to external domains that do not match documented integrations.
- Correlate XML POST requests with subsequent outbound connections to flag SSRF chains in near real time.
How to Mitigate CVE-2026-39053
Immediate Actions Required
- Inventory all deployments of Oinone Pamirs 7.0.0 and identify exposed endpoints that accept XML input.
- Restrict network egress from Pamirs application servers to required destinations only, blocking access to cloud metadata services.
- Place a Web Application Firewall (WAF) rule in front of Pamirs to reject request bodies containing <!DOCTYPE or <!ENTITY tokens.
Patch Information
Review the Oinone Changelog for fixed releases addressing the XStream parser configuration. Upgrade to the patched version once available and confirm that PamirsXmlUtils.fromXML(...) and ViewXmlUtils.fromXML(...) reject DTDs and external entities.
Workarounds
- Configure the underlying XML parser to disable DTDs by setting the feature http://apache.org/xml/features/disallow-doctype-decl to true.
- Disable external general and parameter entities by setting external-general-entities and external-parameter-entities features to false.
- Reject any inbound XML at the application gateway when no XML payload is expected by the affected endpoints.
# Configuration example: harden the SAX parser used by XStream
SAXParserFactory spf = SAXParserFactory.newInstance();
spf.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
spf.setFeature("http://xml.org/sax/features/external-general-entities", false);
spf.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
spf.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd", false);
spf.setXIncludeAware(false);
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
