CVE-2026-44590

Publication date 27 May 2026

Last updated 9 June 2026

Ubuntu priority

Medium

Why this priority?

Cvss 3 Severity Score

9.3 · Critical

Score breakdown

Description

Sherlock hunts down social media accounts by username across social networks. Prior to 0.16.1, the GitHub Actions workflow validate_modified_targets.yml is vulnerable to command injection via the pull_request_target trigger. Any GitHub user can execute arbitrary commands on the CI runner and exfiltrate the GITHUB_TOKEN by opening a pull request. No approval, review, or merge is required. This vulnerability is fixed in 0.16.1.

Read the notes from the security team

Status

Package Ubuntu Release Status
sherlock 26.04 LTS resolute Ignored
25.10 questing Ignored
24.04 LTS noble Ignored
22.04 LTS jammy Not in release

Notes

shishirsub10

Command injection in the github workflow, does not affect ubuntu

Severity score breakdown

CVSS version: CVSS v3.0

Base score 9.3 · Critical

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:H/A:N

References

Other references

Access our resources on patching vulnerabilities