CVE-2026-3065
published 2026-02-24CVE-2026-3065: A vulnerability was detected in HummerRisk up to 1.5.0. This affects the function CommandUtils.commonExecCmdWithResult of the file CloudTaskService.java of the…
PriorityP277high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EPSS
24.10%
97.6th percentile
A vulnerability was detected in HummerRisk up to 1.5.0. This affects the function CommandUtils.commonExecCmdWithResult of the file CloudTaskService.java of the component Cloud Task Dry-run. Performing a manipulation of the argument fileName results in command injection. Remote exploitation of the attack is possible. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
Affected
7 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| hummerrisk | hummerrisk | <= 1.5.0 | — |
| hummerrisk | hummerrisk | — | — |
| hummerrisk | hummerrisk | — | — |
| hummerrisk | hummerrisk | — | — |
| hummerrisk | hummerrisk | — | — |
| hummerrisk | hummerrisk | — | — |
| hummerrisk | hummerrisk | — | — |
Detection & IOCsextracted from sources · hover to see the quote
urlhttps://github.com/AnalogyC0de/public_exp/issues/9
snort
alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS HummerRisk dryRun filename Parameter Command Injection Attempt (CVE-2026-3065)"; flow:established,to_server; http.method; content:"POST"; http.uri; bsize:19; content:"/task/manual/dryRun"; fast_pattern; http.request_body; content:"|22|parameter|22|"; content:"|22|key|22|"; content:"|22|fileName|22|"; content:"|22|defaultValue|22|"; pcre:"/\x22(?:key|fileName|defaultValue)\x22(?:\x3a(?:\x20\x22|\x22))?[^\x2c\x7d$]*?(?:(?:\x3b|%3[Bb])|(?:\x0a|%0[Aa])|(?:\x60|%60)|(?:\x7c|%7[Cc])|(?:\x24|%24)|(?:\x26|%26){2})+/R"; reference:url,github.com/AnalogyC0de/public_exp/issues/9; reference:cve,2026-3065; classtype:attempted-admin; sid:2067914; rev:1; metadata:affected_product HummerRisk, attack_target Web_Server, tls_state plaintext, created_at 2026_02_24, cve CVE_2026_3065, deployment Perimeter, deployment Internal, performance_impact Low, confidence High, signature_severity Major, tag Exploit, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2026_02_24, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)- →Exploit targets HTTP POST requests to the exact URI /task/manual/dryRun (bsize:19) in HummerRisk's Cloud Task Dry-run endpoint.
- →Request body must contain JSON fields 'parameter', 'key', 'fileName', and 'defaultValue' — inspect POST body for all four keys together.
- →Command injection payload is embedded in the value of 'key', 'fileName', or 'defaultValue' fields using shell metacharacters: semicolon (;/%3B), newline (\n/%0A), backtick (`/%60), pipe (|/%7C), dollar sign ($/%24), or double-ampersand (&&/%26%26).
- →The exploit is public and linked to a GitHub PoC; monitor for exploitation attempts from external perimeter and internal networks (plaintext traffic only — TLS state: plaintext).
- →Vulnerable component is CommandUtils.commonExecCmdWithResult in CloudTaskService.java; the fileName argument is the injection point passed to OS command execution.
- ·The Snort/Suricata rule (SID 2067914) only covers plaintext HTTP traffic; HTTPS-wrapped exploitation will not be detected by this signature.
CVSS provenance
nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv4.02.1LOWCVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
nvdv2.06.5MEDIUMAV:N/AC:L/Au:S/C:P/I:P/A:P
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Suricata
ET WEB_SPECIFIC_APPS HummerRisk dryRun filename Parameter Command Injection Attempt (CVE-2026-3065)
suricata·2026-02-24·CVSS 5.3
CVE-2026-3065 [MEDIUM] ET WEB_SPECIFIC_APPS HummerRisk dryRun filename Parameter Command Injection Attempt (CVE-2026-3065)
ET WEB_SPECIFIC_APPS HummerRisk dryRun filename Parameter Command Injection Attempt (CVE-2026-3065)
Rule: alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS HummerRisk dryRun filename Parameter Command Injection Attempt (CVE-2026-3065)"; flow:established,to_server; http.method; content:"POST"; http.uri; bsize:19; content:"/task/manual/dryRun"; fast_pattern; http.request_body; content:"|22|parameter|22|"; content:"|22|key|22|"; content:"|22|fileName|22|"; content:"|22|defaultValue|22|"; pcre:"/\x22(?:key|fileName|defaultValue)\x22(?:\x3a(?:\x20\x22|\x22))?[^\x2c\x7d$]*?(?:(?:\x3b|%3[Bb])|(?:\x0a|%0[Aa])|(?:\x60|%60)|(?:\x7c|%7[Cc])|(?:\x24|%24)|(?:\x26|%26){2})+/R"; reference:url,github.com/AnalogyC0de/public_exp/issues/9; reference:cve,2026-3065; classtype:attempted-admin; sid
No public exploits indexed.
No writeups or analysis indexed.
2026-02-24
Published