CVE-2026-6349
published 2026-04-16CVE-2026-6349: The iSherlock developed by HGiga has an OS Command Injection vulnerability, allowing unauthenticated local attackers to inject arbitrary OS commands and…
PriorityP276critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
2.14%
79.8th percentile
The
iSherlock developed by HGiga has an OS Command Injection vulnerability, allowing unauthenticated local attackers to inject arbitrary OS commands and execute them on the server.
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| hgiga | isherlock-audit-4.5 | < 261 | 261 |
| hgiga | isherlock-audit-5.5 | < 261 | 261 |
| hgiga | isherlock-base-4.5 | < 476 | 476 |
| hgiga | isherlock-base-5.5 | < 476 | 476 |
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv4.09.3CRITICALCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-hx2j-xhcm-gv72: The
iSherlock developed by HGiga has an OS Command Injection vulnerability, allowing unauthenticated local attackers to inject arbitrary OS commands a
ghsa_unreviewed·2026-04-16
CVE-2026-6349 [CRITICAL] CWE-78 GHSA-hx2j-xhcm-gv72: The
iSherlock developed by HGiga has an OS Command Injection vulnerability, allowing unauthenticated local attackers to inject arbitrary OS commands a
The
iSherlock developed by HGiga has an OS Command Injection vulnerability, allowing unauthenticated local attackers to inject arbitrary OS commands and execute them on the server.
VulDB
HGiga iSherlock-audit-5.5 os command injection
vuldb·2026-04-16·CVSS 10.0
CVE-2026-6349 [CRITICAL] HGiga iSherlock-audit-5.5 os command injection
A vulnerability was found in HGiga iSherlock-base-4.5, iSherlock-audit-4.5, iSherlock-base-5.5 and iSherlock-audit-5.5 and classified as critical. This impacts an unknown function. Such manipulation leads to os command injection.
This vulnerability is uniquely identified as CVE-2026-6349. The attack can be launched remotely. No exploit exists.
It is suggested to upgrade the affected component.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2026-04-16
Published