Cyber Resilience

CVE-2026-3065

MediumPublic PoC

Published: 24 February 2026

Published
24 February 2026
Modified
24 February 2026
KEV Added
Patch
CVSS Score v4 5.3 CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.2410 97.6th percentile
Risk Priority 60 floored blend · peak EPSS

Summary

CVE-2026-3065 is a medium-severity Injection (CWE-74) vulnerability in Hummerrisk Hummerrisk. Its CVSS base score is 5.3 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Unix Shell (T1059.004); ranked in the top 2.4% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-3065 is a command injection vulnerability affecting HummerRisk versions up to 1.5.0. The flaw resides in the CommandUtils.commonExecCmdWithResult function within the CloudTaskService.java file of the Cloud Task Dry-run component. It stems from improper validation of the fileName argument, enabling attackers to inject and execute arbitrary commands.

Remote exploitation is possible with low complexity over the network, requiring low privileges (PR:L) and no user interaction. Per the CVSS v3.1 score of 6.3 (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L), attackers with authenticated low-privilege access can achieve limited impacts on confidentiality, integrity, and availability through injected commands.

Advisories note that the exploit is public and may be used, as detailed in a GitHub issue at https://github.com/AnalogyC0de/public_exp/issues/9 and VulDB entries at https://vuldb.com/?ctiid.347416, https://vuldb.com/?id.347416, and https://vuldb.com/?submit.757696. The vendor was contacted early about the disclosure but provided no response, and no patches or mitigations are specified.

The vulnerability, linked to CWE-74 and CWE-77, was published on 2026-02-24, with a publicly available exploit heightening the risk of real-world abuse.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

A vulnerability was detected in HummerRisk up to 1.5.0. This affects the function CommandUtils.commonExecCmdWithResult of the file CloudTaskService.java of the component Cloud Task Dry-run. Performing a manipulation of the argument fileName results in command injection. Remote exploitation of the attack…

more

is possible. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1059.004 Unix Shell Execution
Adversaries may abuse Unix shell commands and scripts for execution.
Why these techniques?

Command injection vulnerability directly enables arbitrary OS command execution, mapping to Unix Shell (T1059.004) as the affected component uses system command execution in a Java-based cloud service likely on Linux/Unix.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-3064Same product: Hummerrisk Hummerrisk
CVE-2026-3066Same product: Hummerrisk Hummerrisk
CVE-2026-3067Same product: Hummerrisk Hummerrisk
CVE-2025-63721Same product: Hummerrisk Hummerrisk
CVE-2026-1413Shared CWE-74, CWE-77
CVE-2026-1624Shared CWE-74, CWE-77
CVE-2025-59046Shared CWE-77
CVE-2026-4204Shared CWE-74, CWE-77
CVE-2026-8345Shared CWE-74, CWE-77
CVE-2026-4197Shared CWE-74, CWE-77

Affected Assets

hummerrisk
hummerrisk
≤ 1.5.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires validation of untrusted inputs like the fileName argument to prevent command injection in the CommandUtils.commonExecCmdWithResult function.

prevent

Mandates timely identification, reporting, and correction of flaws such as the improper input validation enabling command injection in HummerRisk's Cloud Task Dry-run component.

prevent

Enforces least privilege to restrict the impact of arbitrary commands injected by low-privilege authenticated attackers exploiting the vulnerability.

References