CVE-2026-3065

MediumPublic PoC

Published: 24 February 2026

Published

24 February 2026

Modified

24 February 2026

KEV Added

—

Patch

—

CVSS Score 6.3 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

EPSS Score 0.0011 29.1th percentile

Risk Priority 13 60% EPSS · 20% KEV · 20% CVSS

Description

A vulnerability was detected in HummerRisk up to 1.5.0. This affects the function CommandUtils.commonExecCmdWithResult of the file CloudTaskService.java of the component Cloud Task Dry-run. Performing a manipulation of the argument fileName results in command injection. Remote exploitation of the attack…

is possible. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match

prevent

Directly requires validation of untrusted inputs like the fileName argument to prevent command injection in the CommandUtils.commonExecCmdWithResult function.

SI-2 Flaw Remediation good match

prevent

Mandates timely identification, reporting, and correction of flaws such as the improper input validation enabling command injection in HummerRisk's Cloud Task Dry-run component.

AC-6 Least Privilege partial match

prevent

Enforces least privilege to restrict the impact of arbitrary commands injected by low-privilege authenticated attackers exploiting the vulnerability.

Security SummaryAI

CVE-2026-3065 is a command injection vulnerability affecting HummerRisk versions up to 1.5.0. The flaw resides in the CommandUtils.commonExecCmdWithResult function within the CloudTaskService.java file of the Cloud Task Dry-run component. It stems from improper validation of the fileName argument, enabling attackers to inject and execute arbitrary commands.

Remote exploitation is possible with low complexity over the network, requiring low privileges (PR:L) and no user interaction. Per the CVSS v3.1 score of 6.3 (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L), attackers with authenticated low-privilege access can achieve limited impacts on confidentiality, integrity, and availability through injected commands.

Advisories note that the exploit is public and may be used, as detailed in a GitHub issue at https://github.com/AnalogyC0de/public_exp/issues/9 and VulDB entries at https://vuldb.com/?ctiid.347416, https://vuldb.com/?id.347416, and https://vuldb.com/?submit.757696. The vendor was contacted early about the disclosure but provided no response, and no patches or mitigations are specified.

The vulnerability, linked to CWE-74 and CWE-77, was published on 2026-02-24, with a publicly available exploit heightening the risk of real-world abuse.

Details

CWE(s): CWE-74 CWE-77

Affected Products

hummerrisk

≤ 1.5.0

MITRE ATT&CK Enterprise TechniquesAI

T1059.004 Unix Shell Execution

Adversaries may abuse Unix shell commands and scripts for execution.

attack.mitre.org →

Why these techniques?

Command injection vulnerability directly enables arbitrary OS command execution, mapping to Unix Shell (T1059.004) as the affected component uses system command execution in a Java-based cloud service likely on Linux/Unix.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://github.com/AnalogyC0de/public_exp/issues/9
Exploit, Issue Tracking, Mitigation, Third Party Advisory · cna@vuldb.com
https://vuldb.com/?ctiid.347416
Permissions Required, VDB Entry · cna@vuldb.com
https://vuldb.com/?id.347416
Third Party Advisory, VDB Entry · cna@vuldb.com
https://vuldb.com/?submit.757696
Third Party Advisory, VDB Entry · cna@vuldb.com