Skip to main content

Parseusbs CVE-2026-40029

| EUVDEUVD-2026-20769 HIGH
OS Command Injection (CWE-78)
2026-04-08 VulnCheck GHSA-2m8h-6748-cf32
8.5
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
8.5 HIGH
CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Local
Attack Complexity
Low
Privileges Required
None
User Interaction
P
Scope
X

Lifecycle Timeline

4
EUVD ID Assigned
Apr 08, 2026 - 22:01 euvd
EUVD-2026-20769
Analysis Generated
Apr 08, 2026 - 22:01 vuln.today
Patch released
Apr 08, 2026 - 22:01 nvd
Patch available
CVE Published
Apr 08, 2026 - 21:35 nvd
HIGH 8.5

DescriptionCVE.org

parseusbs before 1.9 contains an OS command injection vulnerability in parseUSBs.py where LNK file paths are passed unsanitized into an os.popen() shell command, allowing arbitrary command execution via crafted .lnk filenames containing shell metacharacters. An attacker can craft a .lnk filename with embedded shell metacharacters that execute arbitrary commands on the forensic examiner's machine during USB artifact parsing.

AnalysisAI

OS command injection in parseusbs <1.9 enables arbitrary code execution on forensic examiner systems through maliciously crafted .lnk filenames. The parseUSBs.py module passes LNK file paths unsanitized into os.popen() shell commands, allowing attackers to embed shell metacharacters in filenames that execute during USB artifact parsing. Exploitation requires no authentication (PR:N) but necessitates user interaction (UI:P) when the examiner processes USB artifacts containing weaponized .lnk files. No public exploit identified at time of analysis.

Technical ContextAI

CWE-78 command injection stems from parseUSBs.py passing user-controlled LNK file paths directly to os.popen() without input sanitization or shell escaping. Shell metacharacters (e.g., backticks, semicolons, pipe operators) embedded in .lnk filenames are interpreted by the underlying shell, enabling arbitrary command execution in the context of the parsing process. Affects khyrenz parseusbs versions prior to 1.9.

RemediationAI

Vendor-released patch: upgrade to parseusbs version 1.9 or later, which implements input sanitization for LNK file paths before shell execution. The fix is available via commit 99f05996494e7e41ea0c7e13145ba20eb793e46b and pull request #10 on the official GitHub repository. Organizations unable to immediately upgrade should implement file name validation to reject .lnk files containing shell metacharacters (characters such as backticks, semicolons, pipes, dollar signs) before processing, or isolate parseusbs execution in sandboxed environments with restricted privileges. Detailed vendor advisory available at https://mobasi.ai/sentinel and patch details at https://github.com/khyrenz/parseusbs/commit/99f05996494e7e41ea0c7e13145ba20eb793e46b.

Share

CVE-2026-40029 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy