Skip to main content

flawfinder CVE-2026-48813

LOW
Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') (CWE-74)
2026-06-26 https://github.com/david-a-wheeler/flawfinder GHSA-4c3c-r6p8-c863

Severity by source

vuln.today AI
3.3 LOW

AV:L because attacker-controlled files must exist on the local filesystem being scanned; UI:R because a user must actively run flawfinder; I:L for manipulated tool output integrity; no confidentiality or availability impact.

3.1 AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
4.0 AV:L/AC:L/AT:N/PR:N/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

Estimated by vuln.today — no official severity rating has been published for this CVE yet.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N
Attack Vector
Local
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
None

Lifecycle Timeline

2
Source Code Evidence Fetched
Jun 26, 2026 - 21:25 vuln.today
Analysis Generated
Jun 26, 2026 - 21:25 vuln.today

Blast Radius

ecosystem impact
† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth
  • 11 pypi packages depend on flawfinder (3 direct, 8 indirect)

Ecosystem-wide dependent count for version 2.0.20.

DescriptionCVE.org

Impact

This vulnerability is an improper input neutralization issue leading to output manipulation, specifically, Terminal/ANSI Escape Sequence Injection and XML Injection:

  • Terminal Output Spoofing: A malicious file whose name contains ANSI escape sequences can end up being included in flawfinder's standard terminal output, with many effects. For example, this might allow an attacker to hide critical scan results, falsely making it appear to a human reviewer that no security issues were found.
  • CSV and XML Injection: Untrusted fields (such as filenames, categories, or code context text) were not properly sanitized when generating structured reports. An attacker could exploit this to corrupt CSV formats or inject arbitrary XML attributes into SonarQube outputs via output_sonar().

It impacts those who use flawfinder to evaluate intentionally malicious filenames or file contents.

The initial filename injection problem was reported by Dan Lenz https://www.linkedin.com/in/dan-lenz/

The other vulnerabilities were found by flawfinder project leader David A. Wheeler, GitHub david-a-wheeler, https://dwheeler.com/

Patches

This issue has been fully patched in Version 2.0.20 (released 2026-05-16). All users should upgrade to version 2.0.20 or later immediately. If you use Python's package manager, you can upgrade using pip install --upgrade flawfinder. If you are consuming flawfinder via GitHub Actions, ensure your workflow points to david-a-wheeler/flawfinder@2.0.20 or later.

Workarounds

There is no configuration-based workaround within older versions of flawfinder. If an immediate upgrade is not possible, users can mitigate the risk by:

  • Pre-scanning filenames: Manually or programmatically verifying that target repositories do not contain filenames with control characters (including ANSI escape sequences) before passing them to flawfinder.
  • Inspecting raw output: Reviewing flawfinder outputs in a text editor or logging mechanism that explicitly displays or strips raw escape sequences, rather than relying on live terminal rendering.
  • Restricting untrusted inputs: Avoiding the generation of SonarQube or CSV reports from completely untrusted repositories until the tool is updated.

Resources

See the flawfinder GitHub Repository: https://github.com/david-a-wheeler/flawfinder

AnalysisAI

Output manipulation in flawfinder before version 2.0.20 allows an attacker who controls repository filenames or file content to inject ANSI escape sequences into terminal output, visually hiding or falsifying scan results from human reviewers. The same untrusted-input handling gap extends to structured report generation: CSV reports and SonarQube XML output (via the output_sonar() function) can be corrupted or attribute-injected when filenames, categories, or code context contain unescaped special characters. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Attacker plants ANSI-poisoned filenames in repository
Delivery
Victim clones or receives untrusted repository
Exploit
Victim runs flawfinder scan against repository
Execution
Malicious filename embedded unsanitized in terminal output
Persist
ANSI sequences interpreted by terminal emulator
Impact
Security findings hidden or falsified for reviewer

Vulnerability AssessmentAI

Exploitation Exploitation requires that the attacker control filenames, directory names, or file content in a repository that is subsequently scanned by a vulnerable version of flawfinder (< 2.0.20). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS vector provided in the input (AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N) is a placeholder with all impact metrics set to None and a score of N/A; it is non-informative for risk prioritization and should not be used. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker submits a pull request or otherwise introduces a file into a repository whose name embeds ANSI escape sequences - for example, a filename containing ESC[2J (clear screen) or ESC[1A (cursor up) followed by overwrite text. When a security engineer or CI pipeline runs flawfinder against the repository in a standard terminal, the escape sequences render and visually suppress or replace the findings output, causing the reviewer to believe no vulnerabilities were detected. …
Remediation Vendor-released patch: flawfinder 2.0.20, released 2026-05-16. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

More in Python

View all
CVE-2025-24016 CRITICAL POC
9.9 Feb 10

Wazuh SIEM platform versions 4.4.0 through 4.9.0 contain an unsafe deserialization vulnerability in the DistributedAPI t

CVE-2025-27520 CRITICAL POC
9.8 Apr 04

BentoML version 1.4.2 and earlier contains an unauthenticated remote code execution vulnerability through insecure deser

CVE-2025-2945 CRITICAL POC
9.9 Apr 03

pgAdmin 4 contains critical remote code execution vulnerabilities in the Query Tool download and Cloud Deployment endpoi

CVE-2013-5093 MEDIUM POC
6.8 Sep 27

The renderLocalView function in render/views.py in graphite-web in Graphite 0.9.5 through 0.9.10 uses the pickle Python

CVE-2025-32375 CRITICAL POC
9.8 Apr 09

BentoML is a Python library for building online serving systems optimized for AI apps and model inference. Rated critica

CVE-2014-0224 HIGH POC
7.4 Jun 05

OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h does not properly restrict processing of ChangeCiph

CVE-2024-21644 HIGH POC
7.5 Jan 08

pyLoad download manager version prior to 0.5.0b3.dev77 exposes the Flask SECRET_KEY through an unauthenticated endpoint.

CVE-2017-9462 HIGH POC
8.8 Jun 06

In Mercurial before 4.1.3, "hg serve --stdio" allows remote authenticated users to launch the Python debugger, and conse

CVE-2026-39987 CRITICAL POC
9.3 Apr 08

Unauthenticated remote code execution in Marimo ≤0.20.4 allows attackers to execute arbitrary system commands via the `/

CVE-2024-21645 MEDIUM POC
5.3 Jan 08

pyLoad is the free and open-source Download Manager written in pure Python. Rated medium severity (CVSS 5.3), this vulne

CVE-2026-33017 CRITICAL POC
9.3 Mar 17

Langflow (a visual LLM pipeline builder) contains a critical unauthenticated code execution vulnerability (CVE-2026-3301

CVE-2026-55255 HIGH POC
8.4 Jun 19

Cross-user flow execution in Langflow (< 1.9.1) lets any authenticated API-key holder run another user's flow by passing

Share

CVE-2026-48813 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy