CVE-2026-3064

MediumPublic PoC

Published: 24 February 2026

Published

24 February 2026

Modified

24 February 2026

KEV Added

—

Patch

—

CVSS Score 6.3 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

EPSS Score 0.0060 69.7th percentile

Risk Priority 13 60% EPSS · 20% KEV · 20% CVSS

Description

A security vulnerability has been detected in HummerRisk up to 1.5.0. Affected by this issue is some unknown functionality of the file ResourceCreateService.java of the component Cloud Task Scheduler. Such manipulation of the argument regionId leads to command injection. The…

attack may be launched remotely. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match

prevent

Directly validates and sanitizes untrusted inputs like the regionId argument to prevent command injection in ResourceCreateService.java.

SI-2 Flaw Remediation good match

prevent

Ensures timely identification, reporting, and remediation of the specific command injection flaw in the Cloud Task Scheduler component.

SI-9 Information Input Restrictions partial match

prevent

Restricts information inputs such as regionId to organization-defined criteria, blocking malicious payloads at the interface.

Security SummaryAI

CVE-2026-3064 is a command injection vulnerability in HummerRisk versions up to 1.5.0. The flaw affects an unknown functionality in the ResourceCreateService.java file within the Cloud Task Scheduler component, where manipulation of the regionId argument enables arbitrary command injection.

The vulnerability is exploitable remotely by attackers with low privileges over the network with low attack complexity and no user interaction required. Exploitation can result in limited impacts to confidentiality, integrity, and availability, earning a CVSS v3.1 base score of 6.3 (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L). It maps to CWE-74 and CWE-77.

Advisories note that the exploit has been publicly disclosed and is available for use, as detailed in a GitHub issue at https://github.com/AnalogyC0de/public_exp/issues/8 and VulDB entries including https://vuldb.com/?ctiid.347415, https://vuldb.com/?id.347415, and https://vuldb.com/?submit.757695. The vendor was contacted early regarding the issue but provided no response, and no patches or specific mitigations are referenced.

Details

CWE(s): CWE-74 CWE-77

Affected Products

hummerrisk

≤ 1.5.0

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1059.004 Unix Shell Execution

Adversaries may abuse Unix shell commands and scripts for execution.

attack.mitre.org →

Why these techniques?

Command injection in remotely accessible Cloud Task Scheduler service (AV:N/PR:L) enables exploitation of public-facing application (T1190) and arbitrary Unix shell command execution (T1059.004).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://github.com/AnalogyC0de/public_exp/issues/8
Exploit, Issue Tracking, Mitigation, Third Party Advisory · cna@vuldb.com
https://vuldb.com/?ctiid.347415
Permissions Required, VDB Entry · cna@vuldb.com
https://vuldb.com/?id.347415
Third Party Advisory, VDB Entry · cna@vuldb.com
https://vuldb.com/?submit.757695
Third Party Advisory, VDB Entry · cna@vuldb.com