CVE-2026-6849
Published: 29 April 2026
Description
Improper neutralization of special elements used in an OS command ('OS command injection') vulnerability in TUBITAK BILGEM Software Technologies Research Institute Pardus OS My Computer allows OS Command Injection. This issue affects Pardus OS My Computer: from <=0.7.5 before 0.8.0.
Mitigating Controls (NIST 800-53 r5)AI
Directly addresses the improper neutralization of special elements in OS commands by requiring validation of inputs to prevent command injection.
Mitigates the vulnerability by identifying, reporting, and correcting the specific flaw through patching to Pardus OS My Computer version 0.8.0 or later.
Enables monitoring of the system to detect unauthorized OS command execution resulting from successful injection attempts.
Security SummaryAI
CVE-2026-6849 is an improper neutralization of special elements used in an OS command, enabling OS command injection (CWE-78), in the My Computer component of Pardus OS from TUBITAK BILGEM Software Technologies Research Institute. This vulnerability affects Pardus OS My Computer versions up to and including 0.7.5, prior to version 0.8.0. It was published on 2026-04-29 with a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).
Remote attackers can exploit this vulnerability over the network with low attack complexity and no required privileges, though user interaction is necessary. Successful exploitation grants attackers the ability to inject and execute arbitrary OS commands with high impacts on confidentiality, integrity, and availability.
The USOM advisory at https://www.usom.gov.tr/bildirim/tr-26-0131 provides further details, with mitigation achieved by upgrading Pardus OS My Computer to version 0.8.0 or later.
Details
- CWE(s)
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
CVE enables OS command injection in a client application (My Computer in Pardus OS), facilitating exploitation for client execution (T1203) and arbitrary Unix shell command execution (T1059.004).