UBUNTU-CVE-2026-44590

See a problem?
Please try reporting it to the source first.

Source

https://ubuntu.com/security/CVE-2026-44590

Import Source

https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-44590.json

JSON Data

https://api.osv.dev/v1/vulns/UBUNTU-CVE-2026-44590

Upstream

CVE-2026-44590

Published

2026-05-27T20:16:00Z

Modified

2026-06-09T08:45:09.965142750Z

Severity

9.3 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:H/A:N CVSS Calculator
Ubuntu - medium

Summary

[none]

Details

Sherlock hunts down social media accounts by username across social networks. Prior to 0.16.1, the GitHub Actions workflow validatemodifiedtargets.yml is vulnerable to command injection via the pullrequesttarget trigger. Any GitHub user can execute arbitrary commands on the CI runner and exfiltrate the GITHUB_TOKEN by opening a pull request. No approval, review, or merge is required. This vulnerability is fixed in 0.16.1.

References

Affected packages

Ubuntu:24.04:LTS / sherlock

Package

Name: sherlock
Purl: pkg:deb/ubuntu/sherlock?arch=source&distro=noble

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

0.*

0.14.3+git20231006.b336017-1

0.14.3+git20231225.2813b91-1

0.14.3+git20240119.e3a09f8-1

Ecosystem specific

{
    "binaries": [
        {
            "binary_name": "sherlock",
            "binary_version": "0.14.3+git20240119.e3a09f8-1"
        }
    ]
}

Database specific

source

"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-44590.json"

Ubuntu:25.10 / sherlock

Package

Name: sherlock
Purl: pkg:deb/ubuntu/sherlock?arch=source&distro=questing

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

0.*

0.15.0-1

Ecosystem specific

{
    "binaries": [
        {
            "binary_name": "sherlock",
            "binary_version": "0.15.0-1"
        }
    ]
}

Database specific

source

"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-44590.json"

Ubuntu:26.04:LTS / sherlock

Package

Name: sherlock
Purl: pkg:deb/ubuntu/sherlock?arch=source&distro=resolute

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

0.*

0.15.0-1

0.15.0-1build1

Ecosystem specific

{
    "binaries": [
        {
            "binary_name": "sherlock",
            "binary_version": "0.15.0-1build1"
        }
    ]
}

Database specific

source

"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-44590.json"