CVE-2026-3065
Published: 24 February 2026
Summary
CVE-2026-3065 is a medium-severity Injection (CWE-74) vulnerability in Hummerrisk Hummerrisk. Its CVSS base score is 6.3 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Unix Shell (T1059.004); ranked at the 29.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly requires validation of untrusted inputs like the fileName argument to prevent command injection in the CommandUtils.commonExecCmdWithResult function.
Mandates timely identification, reporting, and correction of flaws such as the improper input validation enabling command injection in HummerRisk's Cloud Task Dry-run component.
Enforces least privilege to restrict the impact of arbitrary commands injected by low-privilege authenticated attackers exploiting the vulnerability.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Command injection vulnerability directly enables arbitrary OS command execution, mapping to Unix Shell (T1059.004) as the affected component uses system command execution in a Java-based cloud service likely on Linux/Unix.
NVD Description
A vulnerability was detected in HummerRisk up to 1.5.0. This affects the function CommandUtils.commonExecCmdWithResult of the file CloudTaskService.java of the component Cloud Task Dry-run. Performing a manipulation of the argument fileName results in command injection. Remote exploitation of the attack…
more
is possible. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
Deeper analysisAI
CVE-2026-3065 is a command injection vulnerability affecting HummerRisk versions up to 1.5.0. The flaw resides in the CommandUtils.commonExecCmdWithResult function within the CloudTaskService.java file of the Cloud Task Dry-run component. It stems from improper validation of the fileName argument, enabling attackers to inject and execute arbitrary commands.
Remote exploitation is possible with low complexity over the network, requiring low privileges (PR:L) and no user interaction. Per the CVSS v3.1 score of 6.3 (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L), attackers with authenticated low-privilege access can achieve limited impacts on confidentiality, integrity, and availability through injected commands.
Advisories note that the exploit is public and may be used, as detailed in a GitHub issue at https://github.com/AnalogyC0de/public_exp/issues/9 and VulDB entries at https://vuldb.com/?ctiid.347416, https://vuldb.com/?id.347416, and https://vuldb.com/?submit.757696. The vendor was contacted early about the disclosure but provided no response, and no patches or mitigations are specified.
The vulnerability, linked to CWE-74 and CWE-77, was published on 2026-02-24, with a publicly available exploit heightening the risk of real-world abuse.
Details
- CWE(s)