CVE-2026-6349
Published: 16 April 2026
Summary
CVE-2026-6349 is a critical-severity OS Command Injection (CWE-78) vulnerability in Org (inferred from references). Its CVSS base score is 9.3 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 20.3% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).
Deeper analysis
The iSherlock software developed by HGiga contains an OS command injection vulnerability, identified as CVE-2026-6349 and assigned CWE-78. The flaw enables injection of arbitrary operating system commands that are then executed on the server, carrying a CVSS 4.0 score of 9.3 with a network attack vector and no required privileges or user interaction.
Unauthenticated local attackers can exploit the weakness to run arbitrary commands on the server, achieving high impacts on confidentiality, integrity, and availability. The EPSS score stands at 0.0296 with an identical peak value, indicating no material rise after disclosure.
Advisories addressing the issue have been published by Taiwan's CERT at the referenced URLs. No information on real-world exploitation or patches is provided in the available data.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-23165
Vulnerability details
The iSherlock developed by HGiga has an OS Command Injection vulnerability, allowing unauthenticated local attackers to inject arbitrary OS commands and execute them on the server.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Unauthenticated remote OS command injection in a public-facing application enables T1190 for initial access via exploitation and T1059 for arbitrary command execution with server privileges.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires validation and sanitization of all inputs to block OS command injection strings before they reach the shell.
Enforces authentication and authorization checks on the vulnerable endpoint so unauthenticated attackers cannot reach the injection point.
Requires prompt application of vendor patches that eliminate the command-injection flaw in iSherlock.