Critical severity9.3NVD Advisory· Published May 27, 2026· Updated May 29, 2026
CVE-2026-44590
CVE-2026-44590
Description
Sherlock hunts down social media accounts by username across social networks. Prior to 0.16.1, the GitHub Actions workflow validate_modified_targets.yml is vulnerable to command injection via the pull_request_target trigger. Any GitHub user can execute arbitrary commands on the CI runner and exfiltrate the GITHUB_TOKEN by opening a pull request. No approval, review, or merge is required. This vulnerability is fixed in 0.16.1.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
2<0.16.1+ 1 more
- (no CPE)range: <0.16.1
- (no CPE)range: <0.16.1
Patches
Vulnerability mechanics
References
1News mentions
0No linked articles in our index yet.