CVE-2026-6819HIGH 8.8EPSS p20.7%

CVE-2026-6819CVE-2026-6819

Description

HKUDS OpenHarness prior to PR #156 remediation exposes plugin lifecycle commands including /plugin install, /plugin enable, /plugin disable, and /reload-plugins to remote senders by default. Attackers who gain access through the channel layer can remotely manage plugin trust and activation state, enabling unauthorized plugin installation and activation on the system.

Scoring

CVSS 3.18.8 (HIGH)
VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
EPSS0.29% probability of exploitation · percentile 20.7% · 2026-06-19T12:03:05Z
Published2026-04-21
Last modified2026-05-07

Underlying weaknesses· 1

CWE-276

References

  1. https://github.com/HKUDS/OpenHarness/commit/59017e09880fcf9a6f60456a84fb982900b2c0b2
  2. https://github.com/HKUDS/OpenHarness/pull/156
  3. https://github.com/HKUDS/OpenHarness/releases/tag/v0.1.7
  4. https://www.vulncheck.com/advisories/hkuds-openharness-plugin-management-command-exposure
  5. https://github.com/HKUDS/OpenHarness/pull/156

1

TypeTargetConfidenceTier
WeaknessIncorrect Default Permissionscwe-2760%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2026-6823
CVE
CVE-2026-7551
CVE
CVE-2026-40502
CVE
CVE-2026-43571
CVE
CVE-2026-43569
CVE
CVE-2026-32916
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.