Cyber Resilience

CVE-2026-3064

MediumPublic PoC

Published: 24 February 2026

Published
24 February 2026
Modified
24 February 2026
KEV Added
Patch
CVSS Score v4 5.3 CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.1438 96.2th percentile
Risk Priority 60 floored blend · peak EPSS

Summary

CVE-2026-3064 is a medium-severity Injection (CWE-74) vulnerability in Hummerrisk Hummerrisk. Its CVSS base score is 5.3 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 3.8% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-3064 is a command injection vulnerability in HummerRisk versions up to 1.5.0. The flaw affects an unknown functionality in the ResourceCreateService.java file within the Cloud Task Scheduler component, where manipulation of the regionId argument enables arbitrary command injection.

The vulnerability is exploitable remotely by attackers with low privileges over the network with low attack complexity and no user interaction required. Exploitation can result in limited impacts to confidentiality, integrity, and availability, earning a CVSS v3.1 base score of 6.3 (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L). It maps to CWE-74 and CWE-77.

Advisories note that the exploit has been publicly disclosed and is available for use, as detailed in a GitHub issue at https://github.com/AnalogyC0de/public_exp/issues/8 and VulDB entries including https://vuldb.com/?ctiid.347415, https://vuldb.com/?id.347415, and https://vuldb.com/?submit.757695. The vendor was contacted early regarding the issue but provided no response, and no patches or specific mitigations are referenced.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

A security vulnerability has been detected in HummerRisk up to 1.5.0. Affected by this issue is some unknown functionality of the file ResourceCreateService.java of the component Cloud Task Scheduler. Such manipulation of the argument regionId leads to command injection. The…

more

attack may be launched remotely. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1059.004 Unix Shell Execution
Adversaries may abuse Unix shell commands and scripts for execution.
Why these techniques?

Command injection in remotely accessible Cloud Task Scheduler service (AV:N/PR:L) enables exploitation of public-facing application (T1190) and arbitrary Unix shell command execution (T1059.004).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-3065Same product: Hummerrisk Hummerrisk
CVE-2026-3066Same product: Hummerrisk Hummerrisk
CVE-2026-3067Same product: Hummerrisk Hummerrisk
CVE-2025-63721Same product: Hummerrisk Hummerrisk
CVE-2026-1413Shared CWE-74, CWE-77
CVE-2026-1624Shared CWE-74, CWE-77
CVE-2026-4204Shared CWE-74, CWE-77
CVE-2026-8345Shared CWE-74, CWE-77
CVE-2026-4197Shared CWE-74, CWE-77
CVE-2026-2085Shared CWE-74, CWE-77

Affected Assets

hummerrisk
hummerrisk
≤ 1.5.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly validates and sanitizes untrusted inputs like the regionId argument to prevent command injection in ResourceCreateService.java.

prevent

Ensures timely identification, reporting, and remediation of the specific command injection flaw in the Cloud Task Scheduler component.

prevent

Restricts information inputs such as regionId to organization-defined criteria, blocking malicious payloads at the interface.

References