CVE-2026-3064
published 2026-02-24CVE-2026-3064: A security vulnerability has been detected in HummerRisk up to 1.5.0. Affected by this issue is some unknown functionality of the file…
PriorityP276high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EPSS
14.38%
96.2th percentile
A security vulnerability has been detected in HummerRisk up to 1.5.0. Affected by this issue is some unknown functionality of the file ResourceCreateService.java of the component Cloud Task Scheduler. Such manipulation of the argument regionId leads to command injection. The attack may be launched remotely. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
Affected
7 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| hummerrisk | hummerrisk | <= 1.5.0 | — |
| hummerrisk | hummerrisk | — | — |
| hummerrisk | hummerrisk | — | — |
| hummerrisk | hummerrisk | — | — |
| hummerrisk | hummerrisk | — | — |
| hummerrisk | hummerrisk | — | — |
| hummerrisk | hummerrisk | — | — |
Detection & IOCsextracted from sources · hover to see the quote
url/task/manual/create
snort
alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS HummerRisk Task Create regions Parameter Command Injection Attempt (CVE-2026-3064)"; flow:established,to_server; http.method; content:"POST"; http.uri; bsize:19; content:"/task/manual/create"; fast_pattern; http.request_body; content:"|22|regions|22|"; pcre:"/^(?:\x3a(?:\x20\x22|\x22))?[^\x2c\x7d$]*?(?:(?:\x3b|%3[Bb])|(?:\x0a|%0[Aa])|(?:\x60|%60)|(?:\x7c|%7[Cc])|(?:\x24|%24)|(?:\x26|%26){2})+/R"; reference:url,github.com/AnalogyC0de/public_exp/issues/8; reference:cve,2026-3064; classtype:attempted-admin; sid:2067915; rev:1; metadata:affected_product HummerRisk, attack_target Web_Server, tls_state plaintext, created_at 2026_02_24, cve CVE_2026_3064, deployment Perimeter, deployment Internal, performance_impact Low, confidence High, signature_severity Major, tag Exploit, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2026_02_24, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)- →Target POST requests to the exact URI /task/manual/create (bsize:19) in HummerRisk's Cloud Task Scheduler endpoint.
- →Inspect the HTTP request body for the 'regions' JSON key (hex |22|regions|22|) followed by shell metacharacters: semicolon (;/%3B), newline (%0A), backtick (`/%60), pipe (|/%7C), dollar sign ($/%24), or double-ampersand (&&/%26%26) in the regionId value.
- →The injection point is the 'regionId' argument in ResourceCreateService.java; any unsanitized shell metacharacter in that field constitutes exploitation. ↗
- →Detection applies to plaintext (non-TLS) traffic; deploy signature at the perimeter and internally.
- →Public exploit PoC is available at the referenced GitHub issue; treat any matching traffic as high-confidence attempted-admin exploitation (MITRE T1190).
- ·The Snort/Suricata rule (sid:2067915) is scoped to plaintext HTTP only; HTTPS-wrapped traffic to the same endpoint will not be caught by this signature without TLS inspection.
CVSS provenance
nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv4.02.1LOWCVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
nvdv2.06.5MEDIUMAV:N/AC:L/Au:S/C:P/I:P/A:P
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Suricata
ET WEB_SPECIFIC_APPS HummerRisk Task Create regions Parameter Command Injection Attempt (CVE-2026-3064)
suricata·2026-02-24·CVSS 5.3
CVE-2026-3064 [MEDIUM] ET WEB_SPECIFIC_APPS HummerRisk Task Create regions Parameter Command Injection Attempt (CVE-2026-3064)
ET WEB_SPECIFIC_APPS HummerRisk Task Create regions Parameter Command Injection Attempt (CVE-2026-3064)
Rule: alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS HummerRisk Task Create regions Parameter Command Injection Attempt (CVE-2026-3064)"; flow:established,to_server; http.method; content:"POST"; http.uri; bsize:19; content:"/task/manual/create"; fast_pattern; http.request_body; content:"|22|regions|22|"; pcre:"/^(?:\x3a(?:\x20\x22|\x22))?[^\x2c\x7d$]*?(?:(?:\x3b|%3[Bb])|(?:\x0a|%0[Aa])|(?:\x60|%60)|(?:\x7c|%7[Cc])|(?:\x24|%24)|(?:\x26|%26){2})+/R"; reference:url,github.com/AnalogyC0de/public_exp/issues/8; reference:cve,2026-3064; classtype:attempted-admin; sid:2067915; rev:1; metadata:affected_product HummerRisk, attack_target Web_Server, tls_state plaintext, created_at
No public exploits indexed.
No writeups or analysis indexed.
2026-02-24
Published