Severity by source
CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
4DescriptionCVE.org
parseusbs before 1.9 contains an OS command injection vulnerability where the volume listing path argument (-v flag) is passed unsanitized into an os.popen() shell command with ls, allowing arbitrary command injection via crafted volume path arguments containing shell metacharacters. An attacker can provide a crafted volume path via the -v flag that injects arbitrary commands during volume content enumeration.
AnalysisAI
OS command injection in parseusbs (versions prior to 1.9) allows local attackers to execute arbitrary commands through unsanitized volume path arguments passed to the -v flag. The vulnerability stems from passing user-controlled input directly to os.popen() with shell=True during volume enumeration via ls command, enabling shell metacharacter injection. Exploitation requires user interaction to execute parseusbs with a malicious -v argument. No public exploit identified at time of analysis, though proof-of-concept exists in commit history.
Technical ContextAI
Root cause is CWE-78 command injection via unsanitized user input in os.popen() shell command construction. The -v flag argument containing shell metacharacters (e.g., semicolons, pipes, backticks) is concatenated directly into ls command string without input validation or sanitization, enabling arbitrary command execution within the Python subprocess shell context during volume content listing operations.
RemediationAI
Vendor-released patch: upgrade to parseusbs version 1.9 or later, which implements input sanitization for volume path arguments. The fix replaces unsafe os.popen() usage with properly escaped subprocess calls that prevent shell metacharacter interpretation. Users unable to upgrade immediately should avoid processing untrusted volume path arguments via the -v flag and validate all input against a whitelist of alphanumeric characters and safe path separators. Review commit 99f05996494e7e41ea0c7e13145ba20eb793e46b for technical implementation details: https://github.com/khyrenz/parseusbs/commit/99f05996494e7e41ea0c7e13145ba20eb793e46b. Consult vendor advisory at https://mobasi.ai/sentinel and VulnCheck analysis at https://www.vulncheck.com/advisories/parseusbs-command-injection-via-volume-path-argument for additional context.
Same weakness CWE-78 – OS Command Injection
View allSame technique Command Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-20771