Cyber Resilience

CVE-2026-6849

HighRCEUpdated

Published: 29 April 2026

Published
29 April 2026
Modified
06 June 2026
KEV Added
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
EPSS Score 0.0101 58.8th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-6849 is a high-severity OS Command Injection (CWE-78) vulnerability in Gov (inferred from references). Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Client Execution (T1203); ranked in the top 41.2% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-6849 is an improper neutralization of special elements used in an OS command, enabling OS command injection (CWE-78), in the My Computer component of Pardus OS from TUBITAK BILGEM Software Technologies Research Institute. This vulnerability affects Pardus OS My Computer versions up to and including 0.7.5, prior to version 0.8.0. It was published on 2026-04-29 with a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).

Remote attackers can exploit this vulnerability over the network with low attack complexity and no required privileges, though user interaction is necessary. Successful exploitation grants attackers the ability to inject and execute arbitrary OS commands with high impacts on confidentiality, integrity, and availability.

The USOM advisory at https://www.usom.gov.tr/bildirim/tr-26-0131 provides further details, with mitigation achieved by upgrading Pardus OS My Computer to version 0.8.0 or later.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Improper neutralization of special elements used in an OS command ('OS command injection') vulnerability in TUBITAK BILGEM Software Technologies Research Institute Pardus OS My Computer allows OS Command Injection. This issue affects Pardus OS My Computer: from <=0.7.5 before 0.8.0.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1203 Exploitation for Client Execution Execution
Adversaries may exploit software vulnerabilities in client applications to execute code.
T1059.004 Unix Shell Execution
Adversaries may abuse Unix shell commands and scripts for execution.
Why these techniques?

CVE enables OS command injection in a client application (My Computer in Pardus OS), facilitating exploitation for client execution (T1203) and arbitrary Unix shell command execution (T1059.004).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-5485Shared CWE-78
CVE-2026-40032Shared CWE-78
CVE-2026-33412Shared CWE-78
CVE-2025-1244Shared CWE-78
CVE-2026-41015Shared CWE-78
CVE-2026-40030Shared CWE-78
CVE-2026-24844Shared CWE-78
CVE-2026-39862Shared CWE-78
CVE-2026-33874Shared CWE-78
CVE-2026-34714Shared CWE-78

Affected Assets

Gov
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly addresses the improper neutralization of special elements in OS commands by requiring validation of inputs to prevent command injection.

prevent

Mitigates the vulnerability by identifying, reporting, and correcting the specific flaw through patching to Pardus OS My Computer version 0.8.0 or later.

detect

Enables monitoring of the system to detect unauthorized OS command execution resulting from successful injection attempts.

References