Skip to main content

Sherlock

2 CVEs product

Monthly

CVE-2026-44590 CRITICAL PATCH Act Now

Command injection in the Sherlock username-hunting tool's CI/CD pipeline (versions prior to 0.16.1) allows any GitHub user to run arbitrary commands on the project's GitHub Actions runner. The flaw lives in the validate_modified_targets.yml workflow, which uses the dangerous pull_request_target trigger; simply opening a pull request executes attacker-controlled code with no approval, review, or merge required. Fixed in 0.16.1; with a CVSS of 9.3 it is a high-severity supply-chain issue, though no public exploit was identified at time of analysis and the technique class is well documented.

Command Injection Sherlock
NVD GitHub VulDB
CVSS 3.1
9.3
EPSS
0.8%
CVE-2018-17930 CRITICAL Act Now

A stack-based buffer overflow vulnerability has been identified in Teledyne DALSA Sherlock Version 7.2.7.4 and prior, which may allow remote code execution. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

RCE Buffer Overflow Stack Overflow Sherlock
NVD
CVSS 3.1
9.8
EPSS
7.3%
EPSS 1% CVSS 9.3
CRITICAL PATCH Act Now

Command injection in the Sherlock username-hunting tool's CI/CD pipeline (versions prior to 0.16.1) allows any GitHub user to run arbitrary commands on the project's GitHub Actions runner. The flaw lives in the validate_modified_targets.yml workflow, which uses the dangerous pull_request_target trigger; simply opening a pull request executes attacker-controlled code with no approval, review, or merge required. Fixed in 0.16.1; with a CVSS of 9.3 it is a high-severity supply-chain issue, though no public exploit was identified at time of analysis and the technique class is well documented.

Command Injection Sherlock
NVD GitHub VulDB
EPSS 7% CVSS 9.8
CRITICAL Act Now

A stack-based buffer overflow vulnerability has been identified in Teledyne DALSA Sherlock Version 7.2.7.4 and prior, which may allow remote code execution. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

RCE Buffer Overflow Stack Overflow +1
NVD

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy