PT-2026-44083 · Isherlock · Isherlock
Astaruf
·
Published
2026-05-27
·
Updated
2026-05-27
·
CVE-2026-44590
CVSS v3.1
9.3
Critical
| Vector | AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:H/A:N |
Name of the Vulnerable Software and Affected Versions
Sherlock versions prior to 0.16.1
Description
The GitHub Actions workflow 'validate modified targets.yml' is susceptible to command injection through the
pull request target trigger. This allows any GitHub user to execute arbitrary commands on the CI runner and exfiltrate the GITHUB TOKEN by opening a pull request, without requiring approval, review, or merging.Recommendations
Update to version 0.16.1.
Exploit
Fix
OS Command Injection
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Isherlock