Skip to main content

Parseusbs CVE-2026-40030

| EUVDEUVD-2026-20771 HIGH
OS Command Injection (CWE-78)
2026-04-08 VulnCheck
8.4
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
8.4 HIGH
CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Local
Attack Complexity
Low
Privileges Required
None
User Interaction
A
Scope
X

Lifecycle Timeline

4
EUVD ID Assigned
Apr 08, 2026 - 22:01 euvd
EUVD-2026-20771
Analysis Generated
Apr 08, 2026 - 22:01 vuln.today
Patch released
Apr 08, 2026 - 22:01 nvd
Patch available
CVE Published
Apr 08, 2026 - 21:35 nvd
HIGH 8.4

DescriptionCVE.org

parseusbs before 1.9 contains an OS command injection vulnerability where the volume listing path argument (-v flag) is passed unsanitized into an os.popen() shell command with ls, allowing arbitrary command injection via crafted volume path arguments containing shell metacharacters. An attacker can provide a crafted volume path via the -v flag that injects arbitrary commands during volume content enumeration.

AnalysisAI

OS command injection in parseusbs (versions prior to 1.9) allows local attackers to execute arbitrary commands through unsanitized volume path arguments passed to the -v flag. The vulnerability stems from passing user-controlled input directly to os.popen() with shell=True during volume enumeration via ls command, enabling shell metacharacter injection. Exploitation requires user interaction to execute parseusbs with a malicious -v argument. No public exploit identified at time of analysis, though proof-of-concept exists in commit history.

Technical ContextAI

Root cause is CWE-78 command injection via unsanitized user input in os.popen() shell command construction. The -v flag argument containing shell metacharacters (e.g., semicolons, pipes, backticks) is concatenated directly into ls command string without input validation or sanitization, enabling arbitrary command execution within the Python subprocess shell context during volume content listing operations.

RemediationAI

Vendor-released patch: upgrade to parseusbs version 1.9 or later, which implements input sanitization for volume path arguments. The fix replaces unsafe os.popen() usage with properly escaped subprocess calls that prevent shell metacharacter interpretation. Users unable to upgrade immediately should avoid processing untrusted volume path arguments via the -v flag and validate all input against a whitelist of alphanumeric characters and safe path separators. Review commit 99f05996494e7e41ea0c7e13145ba20eb793e46b for technical implementation details: https://github.com/khyrenz/parseusbs/commit/99f05996494e7e41ea0c7e13145ba20eb793e46b. Consult vendor advisory at https://mobasi.ai/sentinel and VulnCheck analysis at https://www.vulncheck.com/advisories/parseusbs-command-injection-via-volume-path-argument for additional context.

Share

CVE-2026-40030 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy