Vulnerability Report

CVE-2026-44590

RCE

Title: Sherlock GitHub Actions Command Injection

RCE

Proof Of Concept

PoC Available for CVE-2026-44590

CWE Category CWE-78

Published Date May 27, 2026

Modified Date May 29, 2026

Exploit Status Available

Score 9.3 CVSS v3.1

Exploit Probability (EPSS)

1.14%

Vulnerability Summary

CVE-2026-44590: Sherlock hunts down social media accounts by username across social networks. Prior to 0.16.1, the GitHub Actions workflow validate_modified_targets.yml is vulnerable to command injection via the pull_request_target trigger. Any GitHub user can execute arbitrary commands on the CI runner and exfiltrate the GITHUB_TOKEN by opening a pull request. No approval, review, or merge is required. This vulnerability is fixed in 0.16.1.

Impacted Vendors

Analysis in Progress...

Reference Links

https://github.com/sherlock-project/sherlock/security/advisories/GHSA-v6wr-ccr4-x8g9

CVSS v3.1

Source Entity [email protected]

Severity CRITICAL

9.3

Attack Vector

NETWORK

Complexity

LOW

Privileges

N/A

Interaction

NONE

Confidentiality

N/A

Integrity

N/A

Availability

N/A

Scope

CHANGED

RAW VECTOR CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:H/A:N

Associated Attack Patterns (CAPEC)

Total: Patterns

CVE-2026-44590 Exploits & PoCs (Proof Of Concept)

GitHub https://github.com/Astaruf/CVE-2026-44590

View Code

May 29, 2026 MODIFIED

Vulnerability data updated via NVD.

May 28, 2026 MODIFIED

Vulnerability data updated via NVD.

May 27, 2026 MODIFIED

Vulnerability data updated via NVD.

Attack Vector Matrix

Access Vector NETWORK

Complexity LOW

Privileges N/A

Interaction NONE

CVSS Vector String


                                    CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:H/A:N

Affected Stack

No specific products linked.