Posting Date: 2026/04/29

【Vulnerability Alert】Hgiga iSherlock - OS Command Injection

  • Subject: 【Vulnerability Alert】Hgiga iSherlock - OS Command Injection


  • Description:
    • Forwarded from TWCERT/CC Security Alert TWCERTCC-200-202604-00000015.
    • There is an OS Command Injection vulnerability in iSherlock developed by Hgiga (CVE-2026-6349, CVSS: 9.8). An unauthenticated local attacker can inject arbitrary operating system commands and execute them on the server.
  • Affected Platforms:
    • Hgiga iSherlock 4.5 and 5.5 (including MailSherlock, SpamSherlock, and AuditSherlock)
    • iSherlock-base-4.5 versions prior to 476
    • iSherlock-audit-4.5 versions prior to 261
    • iSherlock-base-5.5 versions prior to 476
    • iSherlock-audit-5.5 versions prior to 261
  • Recommended Actions:
    • Update the iSherlock-base-4.5 package to version 476 or later.
    • Update the iSherlock-audit-4.5 package to version 261 or later.
    • Update the iSherlock-base-5.5 package to version 476 or later.
    • Update the iSherlock-audit-5.5 package to version 261 or later.
  • Reference:
    1. https://www.twcert.org.tw/tw/cp-132-10842-3f255-1.html

Computer and Communication Center
Network Systems Division