Description
A flaw has been found in HummerRisk up to 1.5.0. This vulnerability affects the function fixedCommand of the file hummer-common/hummer-common-core/src/main/java/com/hummer/common/core/utils/PlatformUtils.java of the component Cloud Compliance Scanning. Executing a manipulation can lead to command injection. The attack can be executed remotely. The exploit has been published and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
Published: 2026-02-24
Score: 5.3 Medium
EPSS: 9.1% Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A flaw in the fixedCommand function of PlatformUtils.java in the HummerRisk Cloud Compliance Scanning component can lead to the execution of arbitrary operating system commands when supplied with specially crafted input. This weakness is classified as a command injection vulnerability and corresponds to CWE-74 and CWE-77. The issue may allow an attacker to compromise confidentiality, integrity, and availability of the host system by executing arbitrary code.

Affected Systems

The vulnerability affects the HummerRisk Cloud Compliance Scanning product for all releases up to and including version 1.5.0. The affected CPE is hummerrisk:hummerrisk. Any installations using 1.5.0 or older are considered vulnerable.

Risk and Exploitability

The CVSS score of 5.3 indicates medium severity, while an EPSS score of 9% suggests a moderate probability of exploitation at present. An exploit has already been published and can be performed remotely. The vulnerability is not listed in the CISA KEV catalog. Attackers can trigger the flaw by invoking the vulnerable API endpoint from a remote location; no other prerequisites are described in the advisory.

Generated by OpenCVE AI on June 18, 2026 at 10:45 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply any vendor‑issued update that disables the vulnerable fixedCommand execution path or patch the source to properly sanitize command inputs.
  • Restrict inbound traffic to the HummerRisk scanning service by configuring firewalls or network segmentation so only trusted sources can reach the exposed API.
  • Enable and regularly review audit logs for evidence of unexpected OS command execution or anomalous activity that may indicate exploitation.
  • Consider running the scanning service in an isolated environment or container with limited OS privileges to contain the impact of a potential command injection.

Generated by OpenCVE AI on June 18, 2026 at 10:45 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 25 Feb 2026 22:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 24 Feb 2026 21:15:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:hummerrisk:hummerrisk:*:*:*:*:*:*:*:*

Tue, 24 Feb 2026 10:00:00 +0000

Type Values Removed Values Added
First Time appeared Hummerrisk
Hummerrisk hummerrisk
Vendors & Products Hummerrisk
Hummerrisk hummerrisk

Tue, 24 Feb 2026 04:00:00 +0000

Type Values Removed Values Added
Description A flaw has been found in HummerRisk up to 1.5.0. This vulnerability affects the function fixedCommand of the file hummer-common/hummer-common-core/src/main/java/com/hummer/common/core/utils/PlatformUtils.java of the component Cloud Compliance Scanning. Executing a manipulation can lead to command injection. The attack can be executed remotely. The exploit has been published and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
Title HummerRisk Cloud Compliance Scanning PlatformUtils.java fixedCommand command injection
Weaknesses CWE-74
CWE-77
References
Metrics cvssV2_0

{'score': 6.5, 'vector': 'AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 6.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 6.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Hummerrisk Hummerrisk
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-02-24T18:55:12.566Z

Reserved: 2026-02-23T18:51:05.297Z

Link: CVE-2026-3066

cve-icon Vulnrichment

Updated: 2026-02-24T18:55:05.632Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-24T04:15:58.980

Modified: 2026-06-17T10:42:59.607

Link: CVE-2026-3066

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-18T11:00:04Z

Weaknesses
  • CWE-74

    Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

  • CWE-77

    Improper Neutralization of Special Elements used in a Command ('Command Injection')