Severity by source
CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
4DescriptionCVE.org
parseusbs before 1.9 contains an OS command injection vulnerability in parseUSBs.py where LNK file paths are passed unsanitized into an os.popen() shell command, allowing arbitrary command execution via crafted .lnk filenames containing shell metacharacters. An attacker can craft a .lnk filename with embedded shell metacharacters that execute arbitrary commands on the forensic examiner's machine during USB artifact parsing.
AnalysisAI
OS command injection in parseusbs <1.9 enables arbitrary code execution on forensic examiner systems through maliciously crafted .lnk filenames. The parseUSBs.py module passes LNK file paths unsanitized into os.popen() shell commands, allowing attackers to embed shell metacharacters in filenames that execute during USB artifact parsing. Exploitation requires no authentication (PR:N) but necessitates user interaction (UI:P) when the examiner processes USB artifacts containing weaponized .lnk files. No public exploit identified at time of analysis.
Technical ContextAI
CWE-78 command injection stems from parseUSBs.py passing user-controlled LNK file paths directly to os.popen() without input sanitization or shell escaping. Shell metacharacters (e.g., backticks, semicolons, pipe operators) embedded in .lnk filenames are interpreted by the underlying shell, enabling arbitrary command execution in the context of the parsing process. Affects khyrenz parseusbs versions prior to 1.9.
RemediationAI
Vendor-released patch: upgrade to parseusbs version 1.9 or later, which implements input sanitization for LNK file paths before shell execution. The fix is available via commit 99f05996494e7e41ea0c7e13145ba20eb793e46b and pull request #10 on the official GitHub repository. Organizations unable to immediately upgrade should implement file name validation to reject .lnk files containing shell metacharacters (characters such as backticks, semicolons, pipes, dollar signs) before processing, or isolate parseusbs execution in sandboxed environments with restricted privileges. Detailed vendor advisory available at https://mobasi.ai/sentinel and patch details at https://github.com/khyrenz/parseusbs/commit/99f05996494e7e41ea0c7e13145ba20eb793e46b.
Same weakness CWE-78 – OS Command Injection
View allSame technique Command Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-20769
GHSA-2m8h-6748-cf32