CVE-2026-3065
Received Received - Intake
Command Injection in HummerRisk Cloud Task Dry-run Component

Publication date: 2026-02-24

Last updated on: 2026-04-29

Assigner: VulDB

Description
A vulnerability was detected in HummerRisk up to 1.5.0. This affects the function CommandUtils.commonExecCmdWithResult of the file CloudTaskService.java of the component Cloud Task Dry-run. Performing a manipulation of the argument fileName results in command injection. Remote exploitation of the attack is possible. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-24
Last Modified
2026-04-29
Generated
2026-06-16
AI Q&A
2026-02-24
EPSS Evaluated
2026-06-14
NVD
CVE-2026-3065
EUVD
EUVD-2026-7403
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
hummerrisk hummerrisk to 1.5.0 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-77 The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component.
CWE-74 The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

[{'type': 'paragraph', 'content': 'CVE-2026-3065 is a critical command injection vulnerability in HummerRisk versions up to 1.5.0. It affects the function CommandUtils.commonExecCmdWithResult in the CloudTaskService.java file within the Cloud Task Dry-run component. The vulnerability arises because the "fileName" parameter is directly used in constructing a shell command without any validation or sanitization, allowing attackers to inject and execute arbitrary operating system commands remotely.'}, {'type': 'paragraph', 'content': 'This flaw corresponds to CWE-77 and CWE-78, indicating that externally influenced input is used unsafely to build commands, leading to unauthorized command execution. The vulnerability can be exploited remotely by attackers with dry-run task permissions, and a public proof-of-concept exploit is available.'}] [1, 2, 3]

Impact Analysis

This vulnerability allows immediate remote code execution (RCE) with the privileges of the hummer-risk user, potentially leading to unauthorized control over the affected system.

  • Attackers can execute arbitrary OS commands, including launching reverse shells.
  • Potential privilege escalation if sudo is configured.
  • Data exfiltration such as reading sensitive files (e.g., /etc/passwd), environment variable theft, and credential disclosure.
  • Persistence mechanisms like backdoors or cron jobs can be installed.
  • Lateral movement within the network and cloud credential theft.
  • Complete exposure of cloud infrastructure, data breaches, and service disruption.
Compliance Impact

This vulnerability can lead to compliance violations with common standards and regulations such as GDPR, PCI DSS, and SOC 2 due to unauthorized data access, data breaches, and potential exposure of sensitive information.

Exploitation may result in loss of confidentiality, integrity, and availability of data, which are critical requirements under these regulations.

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability can be detected by monitoring for suspicious "fileName" parameter values that contain shell metacharacters or command keywords such as curl, wget, bash, nc, and cat.'}, {'type': 'paragraph', 'content': 'Unusual API activity, such as a high frequency of dry-run requests or large parameter payloads, may also indicate exploitation attempts.'}, {'type': 'paragraph', 'content': 'A Sigma detection rule is available to identify immediate command injection attempts targeting this vulnerability.'}, {'type': 'paragraph', 'content': 'Suggested detection commands include inspecting logs for suspicious "fileName" values and monitoring network traffic for unusual POST requests to the /task/manual/dryRun API endpoint.'}] [2]

Mitigation Strategies

[{'type': 'paragraph', 'content': 'Immediate mitigation steps include implementing strict input validation on the "fileName" parameter to enforce a safe format and block dangerous characters such as ; & | ` $ () <> * ? [] { } \' " \\.'}, {'type': 'paragraph', 'content': "Use safe command execution APIs like Java's ProcessBuilder with argument arrays to avoid shell interpretation instead of Runtime.exec() with shell commands."}, {'type': 'paragraph', 'content': 'Enforce a whitelist of valid Prowler check names and use parameterized command construction patterns to prevent injection.'}, {'type': 'paragraph', 'content': 'Additional recommendations include conducting architecture reviews, developer security training, mandatory code reviews, deploying WAF rules, audit logging, monitoring for suspicious patterns, and rate limiting on the dry-run endpoint.'}, {'type': 'paragraph', 'content': 'If possible, consider replacing the affected product as no official vendor mitigations have been provided.'}] [2, 1]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-3065. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart