Linux Distros Unpatched Vulnerability : CVE-2026-44590

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - Sherlock hunts down social media accounts by username across social networks. Prior to 0.16.1, the GitHub Actions workflow validatemodifiedtargets.yml is...

CVE-2026-44590 Sherlock: Command Injection via pull_request_target in validate_modified_targets.yml

Sherlock hunts down social media accounts by username across social networks. Prior to 0.16.1, the GitHub Actions workflow validatemodifiedtargets.yml is vulnerable to command injection via the pullrequesttarget trigger. Any GitHub user can execute arbitrary commands on the CI runner and exfiltra...

sherlock 操作系统命令注入漏洞

Sherlock is an open-source username search tool developed by Sherlock. Versions of Sherlock prior to 0.16.1 contained a vulnerability related to operating system command injection. This vulnerability originated from the pullrequesttarget trigger in the GitHub Actions workflow...

Exploit for CVE-2026-44590

CVE-2026-44590 - sherlock-project/sherlock CI - RCE via pullr...

AutoRDPwn

This is a post-exploitation framework called AutoRDPwn, written in PowerShell. It is designed to automate the Shadow attack on Microsoft Windows computers, which allows a remote attacker to view and control the victim's desktop without their consent. The framework has a user-friendly interface an...

Malicious code in focus-sherlock (npm)

The package focus-sherlock was found to contain malicious code...

Malicious code in sherlock-frontier-client (npm)

The package sherlock-frontier-client was found to contain malicious code...

MAL-2025-33092 Malicious code in sherlock-frontier-client (npm)

The package sherlock-frontier-client was found to contain malicious code...

MAL-2025-20733 Malicious code in focus-sherlock (npm)

The package focus-sherlock was found to contain malicious code...

A Sherlock Holmes Approach to Cybersecurity: Eliminate the Impossible with Exposure Validation

Sherlock Holmes is famous for his incredible ability to sort through mounds of information; he removes the irrelevant and exposes the hidden truth. His philosophy is plain yet brilliant: "When you have eliminated the impossible, whatever remains, however improbable, must be the truth." Rather tha...

MAL-2024-3013 Malicious code in sherlock-front (npm)

--- -= Per source details. Do not edit below this line.=-...

Malicious code in sherlock-front (npm)

--- -= Per source details. Do not edit below this line.=-...

CVE-2024-4299

The system configuration interface of HGiga iSherlock including MailSherlock, SpamSherock, AuditSherlock fails to filter special characters in certain function parameters, allowing remote attackers with administrative privileges to exploit this vulnerability for Command Injection attacks, enablin...

stETH/ETH, rETH/ETH and cbETH/ETH chainlink oracles has too long of heartbeat and deviation threshold which can cause loss of funds

Lines of code Vulnerability details ChainlinkPriceOracle fetches prices from the Chainlink contracts. But the price feeds in the consideration has a very long price heartbeat and deviation rate which might lead to wrong price calculation and loss of token to the user. Impact According to the...

HGiga MailSherlock SQL注入漏洞

Hgiga MailSherlock is an enterprise email audit system from China Henderson Technology Hgiga. A SQL injection vulnerability exists in HGiga MailSherlock version 4.5, which stems from a query function that does not adequately validate user input. An attacker can exploit this vulnerability by...

com.coditory.sherlock:sherlock-mongo-sync (=0.4.3), com.hazelcast.jet.contrib:mongodb (=0.2) +22 more potentially affected by CVE-2021-20328 via org.mongodb:mongodb-driver-sync (>=3.11.0 <=3.11.2)

org.mongodb:mongodb-driver-sync MAVEN version =3.11.0, =0.0.1, =2.1.18, =2.1.18, =2.1.18, =2.0.0, =2.0.0, =2.0.0, =5.0.20.RC, =1.6.1, =3.11.0, =3.11.2 - org.mongojack:mongojack =2.10.1 and more Source cves: CVE-2021-20328 Source advisory: OSV:GHSA-RGHW-6PX2-FGWC...

Sherlock: Decouple yield strategy with withdrawals

Handle GreyArt Vulnerability details Impact If there are funds remaining in an old strategy, there is only 1 way to claim those funds which is through Sherlock.updateYieldStrategy . It is quite an inconvenience to do this. Recommended Mitigation Steps Create an additional function to allow anyone...

Users shouldn't be forced into a specific strategy (possible rug pull)

Handle harleythedog Vulnerability details Impact As already discussed in the previous Sherlock C4 contest here, it is best to mitigate rug pull possibilities even if the team is well intentioned, there is still the risk of being called out, and less users might interact with the project if the...

Sherlock: arbRestake() doesnt reduce addressShares of owner

Handle GreyArt Vulnerability details Impact As per the documentation, “After 2 weeks without action on an unlocked position arbs can come in to arbRestakeid, 20% of the underlying USDC amount principal + yield is at risk for the owner of the position.” While shares are redeemed for the arbitrager...

Reenterancy in _sendSherRewardsToOwner()

Handle kirk-baird Vulnerability details Impact This is a reentrancy vulnerability that would allow the attacker to drain the entire SHER balance of the contract. Note: this attack requires gaining control of execution sher.transfer which will depend on the implementation of the SHER token. Contro...