CVE-2026-6349
Published: 16 April 2026
Description
The iSherlock developed by HGiga has an OS Command Injection vulnerability, allowing unauthenticated local attackers to inject arbitrary OS commands and execute them on the server.
Mitigating Controls (NIST 800-53 r5)AI
SI-10 directly prevents OS command injection by requiring validation of all user inputs to block malicious command strings in iSherlock.
SI-2 ensures timely patching and remediation of the specific OS command injection flaw identified in CVE-2026-6349.
SI-9 restricts input types, formats, and sources to limit opportunities for unauthenticated attackers to inject OS commands.
Security SummaryAI
CVE-2026-6349 is an OS Command Injection vulnerability (CWE-78) affecting iSherlock, a product developed by HGiga. Published on 2026-04-16, the issue enables attackers to inject arbitrary OS commands that execute on the server. It carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating critical severity with high impacts on confidentiality, integrity, and availability.
Unauthenticated local attackers can exploit this vulnerability to inject and execute arbitrary OS commands on the affected server. Successful exploitation grants attackers the ability to run commands with server-level privileges, potentially leading to full system compromise.
Advisories from TWCERT/CC provide further details on the vulnerability, available at https://www.twcert.org.tw/en/cp-139-10841-4f504-2.html and https://www.twcert.org.tw/tw/cp-132-10842-3f255-1.html.
Details
- CWE(s)
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Unauthenticated remote OS command injection in a public-facing application enables T1190 for initial access via exploitation and T1059 for arbitrary command execution with server privileges.