EUVD-2026-32638CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:H/A:N
Lifecycle Timeline
3DescriptionNVD
Sherlock hunts down social media accounts by username across social networks. Prior to 0.16.1, the GitHub Actions workflow validate_modified_targets.yml is vulnerable to command injection via the pull_request_target trigger. Any GitHub user can execute arbitrary commands on the CI runner and exfiltrate the GITHUB_TOKEN by opening a pull request. No approval, review, or merge is required. This vulnerability is fixed in 0.16.1.
AnalysisAI
Command injection in the Sherlock username-hunting tool's CI/CD pipeline (versions prior to 0.16.1) allows any GitHub user to run arbitrary commands on the project's GitHub Actions runner. The flaw lives in the validate_modified_targets.yml workflow, which uses the dangerous pull_request_target trigger; simply opening a pull request executes attacker-controlled code with no approval, review, or merge required. …
Sign in for full analysis, threat intelligence, and remediation guidance.
RemediationAI
Within 24 hours: Restrict repository access or disable the validate_modified_targets.yml workflow to prevent untrusted pull requests. Within 7 days: Upgrade Sherlock to version 0.16.1 and audit CI/CD logs for suspicious execution activity. …
Sign in for detailed remediation steps.
Share
External POC / Exploit Code
Leaving vuln.today