Primary

Context

HummerRisk SnakeYAML Component Vulnerability Leading to Remote Code Execution

Vulnerability

A remote code execution vulnerability has been identified in HummerRisk versions through 1.5.0. The issue arises from the use of a vulnerable SnakeYAML component, which allows attackers to execute arbitrary code and potentially take over the server.

Impact

Exploitation of this vulnerability allows for remote code execution on the server where HummerRisk is running.

Reproduction

To reproduce this vulnerability, install and start HummerRisk. Log in as an admin user. Once logged in, create a normal user account. After creating the account, log in as the newly created user. Access the API documentation, which is available to normal users. Use the file writing feature to upload a payload, which can be executed by overwriting the /etc/crontab file, leading to remote code execution.

Added: Dec 8, 2025, 5:22 PM

Updated: Dec 8, 2025, 6:42 PM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

10.0

exploitability

4.6

remediation

0.0

relevance

1.3

threat

6.4

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

10.0

exploitability

4.6

remediation

0.0

relevance

1.3

threat

6.4

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

HummerRisk SnakeYAML Component Vulnerability Leading to Remote Code Execution

Vulnerability

Impact

Reproduction

Affected Products

HummerRisk

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating