CVE-2026-3064
Published: 24 February 2026
Summary
CVE-2026-3064 is a medium-severity Injection (CWE-74) vulnerability in Hummerrisk Hummerrisk. Its CVSS base score is 6.3 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 30.2% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly validates and sanitizes untrusted inputs like the regionId argument to prevent command injection in ResourceCreateService.java.
Ensures timely identification, reporting, and remediation of the specific command injection flaw in the Cloud Task Scheduler component.
Restricts information inputs such as regionId to organization-defined criteria, blocking malicious payloads at the interface.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Command injection in remotely accessible Cloud Task Scheduler service (AV:N/PR:L) enables exploitation of public-facing application (T1190) and arbitrary Unix shell command execution (T1059.004).
NVD Description
A security vulnerability has been detected in HummerRisk up to 1.5.0. Affected by this issue is some unknown functionality of the file ResourceCreateService.java of the component Cloud Task Scheduler. Such manipulation of the argument regionId leads to command injection. The…
more
attack may be launched remotely. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
Deeper analysisAI
CVE-2026-3064 is a command injection vulnerability in HummerRisk versions up to 1.5.0. The flaw affects an unknown functionality in the ResourceCreateService.java file within the Cloud Task Scheduler component, where manipulation of the regionId argument enables arbitrary command injection.
The vulnerability is exploitable remotely by attackers with low privileges over the network with low attack complexity and no user interaction required. Exploitation can result in limited impacts to confidentiality, integrity, and availability, earning a CVSS v3.1 base score of 6.3 (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L). It maps to CWE-74 and CWE-77.
Advisories note that the exploit has been publicly disclosed and is available for use, as detailed in a GitHub issue at https://github.com/AnalogyC0de/public_exp/issues/8 and VulDB entries including https://vuldb.com/?ctiid.347415, https://vuldb.com/?id.347415, and https://vuldb.com/?submit.757695. The vendor was contacted early regarding the issue but provided no response, and no patches or specific mitigations are referenced.
Details
- CWE(s)