Cyber Resilience

CVE-2026-6349

CriticalRCE

Published: 16 April 2026

Published
16 April 2026
Modified
19 May 2026
KEV Added
Patch
CVSS Score v4 9.3 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0214 79.7th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2026-6349 is a critical-severity OS Command Injection (CWE-78) vulnerability in Org (inferred from references). Its CVSS base score is 9.3 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 20.3% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).

Deeper analysis

The iSherlock software developed by HGiga contains an OS command injection vulnerability, identified as CVE-2026-6349 and assigned CWE-78. The flaw enables injection of arbitrary operating system commands that are then executed on the server, carrying a CVSS 4.0 score of 9.3 with a network attack vector and no required privileges or user interaction.

Unauthenticated local attackers can exploit the weakness to run arbitrary commands on the server, achieving high impacts on confidentiality, integrity, and availability. The EPSS score stands at 0.0296 with an identical peak value, indicating no material rise after disclosure.

Advisories addressing the issue have been published by Taiwan's CERT at the referenced URLs. No information on real-world exploitation or patches is provided in the available data.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

The  iSherlock developed by HGiga  has an OS Command Injection vulnerability, allowing unauthenticated local attackers to inject arbitrary OS commands and execute them on the server.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1059 Command and Scripting Interpreter Execution
Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries.
Why these techniques?

Unauthenticated remote OS command injection in a public-facing application enables T1190 for initial access via exploitation and T1059 for arbitrary command execution with server privileges.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-28470Shared CWE-78
CVE-2025-69269Shared CWE-78
CVE-2025-24971Shared CWE-78
CVE-2026-22553Shared CWE-78
CVE-2026-22901Shared CWE-78
CVE-2026-1345Shared CWE-78
CVE-2025-9588Shared CWE-78
CVE-2026-24689Shared CWE-78
CVE-2025-0457Shared CWE-78
CVE-2020-37027Shared CWE-78

Affected Assets

Org
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires validation and sanitization of all inputs to block OS command injection strings before they reach the shell.

prevent

Enforces authentication and authorization checks on the vulnerable endpoint so unauthenticated attackers cannot reach the injection point.

prevent

Requires prompt application of vendor patches that eliminate the command-injection flaw in iSherlock.

References