HIGHCVE-2026-40029Published 2026-04-08Modified 2026-05-08CNA VulnCheck

CVE-2026-40029: parseusbs < 1.9 Command Injection via Crafted LNK Filename

parseusbs before 1.9 contains an OS command injection vulnerability in parseUSBs.py where LNK file paths are passed unsanitized into an os.popen() shell command, allowing arbitrary command execution via crafted .lnk filenames containing shell metacharacters. An attacker can craft a .lnk filename with embedded shell metacharacters that execute arbitrary commands on the forensic examiner's machine during USB artifact parsing.

CVSS v4.0: 8.5
Severity: HIGH
Fixed in: 1.9.0
Affected Products: 1

Fix available

1.9.099f05996494e7e41ea0c7e13145ba20eb793e46b

Patch commits

Patch Commit

Affected packages

khyrenz / parseusbs
< 1.9.0 (from 0)
Fixed in 1.9.0, 99f05996494e7e41ea0c7e13145ba20eb793e46b

CVSS Vector

CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

References

Pull Request
Patch Commit
Mobasi Sentinel Vulnerability Index
VulnCheck Advisory: parseusbs < 1.9 Command Injection via Crafted LNK Filename

Metrics

Fix available