CVE-2026-3067
Received Received - Intake
Path Traversal in HummerRisk Archive Extraction Allows Remote Attack

Publication date: 2026-02-24

Last updated on: 2026-04-29

Assigner: VulDB

Description
A vulnerability has been found in HummerRisk up to 1.5.0. This issue affects the function extractTarGZ/extractZip of the file hummer-common/hummer-common-core/src/main/java/com/hummer/common/core/utils/CommandUtils.java of the component Archive Extraction. The manipulation leads to path traversal. The attack is possible to be carried out remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-24
Last Modified
2026-04-29
Generated
2026-06-16
AI Q&A
2026-02-24
EPSS Evaluated
2026-06-14
NVD
CVE-2026-3067
EUVD
EUVD-2026-7396
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
hummerrisk hummerrisk to 1.5.0 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-22 The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-3067 is a critical path traversal vulnerability in HummerRisk versions up to 1.5.0, specifically in the archive extraction functions extractTarGZ and extractZip. The vulnerability occurs because the software fails to properly validate or sanitize file paths inside tar.gz and zip archives during extraction.

This flaw allows an authenticated attacker with file upload permissions to manipulate archive entry names using path traversal sequences (e.g., ../) to escape the intended extraction directory. As a result, the attacker can write arbitrary files anywhere on the filesystem.

Exploitation can lead to arbitrary file writes such as injecting SSH keys for root access, creating malicious cron jobs, uploading web shells, or replacing application libraries, potentially resulting in remote code execution and full system compromise.

Impact Analysis

This vulnerability can have severe impacts including unauthorized file system access, remote code execution, and privilege escalation.

  • Attackers can write arbitrary files anywhere on the system, including sensitive locations.
  • They can inject SSH keys to gain root access.
  • Malicious cron jobs can be created to execute harmful scripts with system privileges.
  • Web shells can be uploaded to enable remote command execution.
  • Critical application libraries can be replaced to maintain persistence and execute code on restart.

Overall, the vulnerability compromises confidentiality, integrity, and availability of the affected system, potentially leading to full system compromise and root privilege escalation.

Compliance Impact

I don't know

Detection Guidance

[{'type': 'paragraph', 'content': "Detection of this vulnerability involves monitoring for suspicious archive uploads and extraction activities that include path traversal sequences such as '../' in file names within tar.gz or zip archives."}, {'type': 'paragraph', 'content': 'Since the vulnerability is exploited by uploading crafted archives via endpoints like POST /fs/add/fs, inspecting logs for such requests and analyzing uploaded archive contents for path traversal patterns is recommended.'}, {'type': 'paragraph', 'content': 'Commands to detect potential exploitation attempts could include scanning extracted files for unexpected locations or unauthorized files such as SSH keys in /root/.ssh/authorized_keys, cron jobs in /etc/cron.d/, or web shells in web root directories.'}, {'type': 'list_item', 'content': "Use find commands to locate suspicious files, e.g., `find / -name '*.jsp'` to find web shells."}, {'type': 'list_item', 'content': 'Check for unauthorized SSH keys: `cat /root/.ssh/authorized_keys` and verify contents.'}, {'type': 'list_item', 'content': 'Monitor web server logs and application logs for unusual archive upload activity.'}, {'type': 'list_item', 'content': 'Use file integrity monitoring tools to detect unexpected file changes outside normal directories.'}] [3]

Mitigation Strategies

Immediate mitigation steps include restricting or disabling archive upload and extraction functionality in HummerRisk versions up to 1.5.0 until a fix or patch is available.

Since no official patches or vendor responses are available, consider replacing the affected component with an alternative product that does not have this vulnerability.

Implement strict validation and sanitization of archive entry paths before extraction to prevent path traversal, including canonicalizing paths and rejecting entries that escape the intended extraction directory.

  • Perform extraction in sandboxed environments such as containers or chroot jails to limit potential damage.
  • Enforce file type whitelists and limit extracted file sizes.
  • Reject symbolic links that point outside the extraction directory.
  • Scan extracted content for malicious patterns immediately after extraction.

Monitor systems for signs of compromise such as unauthorized SSH keys, cron jobs, or web shells and respond accordingly.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-3067. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart