Description
Improper neutralization of special elements used in an OS command ('OS command injection') vulnerability in TUBITAK BILGEM Software Technologies Research Institute Pardus OS My Computer allows OS Command Injection.

This issue affects Pardus OS My Computer: from <=0.7.5 before 0.8.0.
Published: 2026-04-29
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is an OS command injection flaw in the My Computer component of Pardus OS, allowing an attacker to supply unsanitized input that is directly incorporated into an operating‑system command. The improper neutralization of special elements means that an attacker could execute arbitrary commands, leading to remote code execution, full system compromise, and data exfiltration. This weakness is classified as CWE‑78, indicating failures in input validation for OS command execution.

Affected Systems

The flaw affects Pardus OS My Computer from version 0.7.5 and earlier; the issue is resolved in 0.8.0 and later releases. The affected vendor is TUBITAK BILGEM Software Technologies Research Institute, which maintains the Pardus OS distribution.

Risk and Exploitability

The CVSS score of 8.8 indicates a high severity vulnerability and the lack of an EPSS score suggests that specific exploitation data is not publicly available yet. The flaw is not listed in the CISA KEV catalog, but the potential for arbitrary command execution makes it a high‑risk vulnerability. The likely attack vector is local or remote input to the My Computer interface; an attacker with the ability to influence the affected parameter could trigger the injection. No specific mitigation is reported, so the risk remains until a patch is applied.

Generated by OpenCVE AI on April 29, 2026 at 16:54 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Deploy Pardus OS My Computer version 0.8.0 or higher, which fixes the command injection flaw.
  • If immediate update is not possible, isolate the component by restricting the directory and file permissions and removing any executable paths that could be abused.
  • Ensure the service running My Computer operates with the minimum required privileges and monitor for abnormal command execution.

Generated by OpenCVE AI on April 29, 2026 at 16:54 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 30 Apr 2026 08:45:00 +0000

Type Values Removed Values Added
First Time appeared Tubitak Bilgem Software Technologies Research Institute
Tubitak Bilgem Software Technologies Research Institute pardus Os My Computer
Vendors & Products Tubitak Bilgem Software Technologies Research Institute
Tubitak Bilgem Software Technologies Research Institute pardus Os My Computer

Wed, 29 Apr 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 29 Apr 2026 15:30:00 +0000

Type Values Removed Values Added
Description Improper neutralization of special elements used in an OS command ('OS command injection') vulnerability in TUBITAK BILGEM Software Technologies Research Institute Pardus OS My Computer allows OS Command Injection. This issue affects Pardus OS My Computer: from <=0.7.5 before 0.8.0.
Title OS Command Injection in TUBITAK BILGEM's Pardus OS My Computer
Weaknesses CWE-78
References
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}

Subscriptions

Tubitak Bilgem Software Technologies Research Institute Pardus Os My Computer
cve-icon MITRE

Status: PUBLISHED

Assigner: TR-CERT

Published:

Updated: 2026-04-29T15:35:39.447Z

Reserved: 2026-04-22T08:58:42.292Z

Link: CVE-2026-6849

cve-icon Vulnrichment

Updated: 2026-04-29T15:35:36.272Z

cve-icon NVD

Status : Deferred

Published: 2026-04-29T16:16:28.413

Modified: 2026-04-29T21:13:30.563

Link: CVE-2026-6849

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-30T08:21:05Z

Weaknesses