CVE-2026-40029

HIGH

parseusbs before 1.9 contains an OS command injection vulnerability in parseUSBs.py where LNK file paths are passed unsanitized into an os.popen() shell command, allowing arbitrary command execution via crafted .lnk filenames containing shell metacharacters. An attacker can craft a .lnk filename with embedded shell metacharacters that execute arbitrary commands on the forensic examiner's machine during USB artifact parsing.

CVSS v3.1 Score

7.8
HIGH
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Attack Vector
LOCAL
Complexity
LOW
Privileges
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality
HIGH
Integrity
HIGH
Availability
HIGH
Published: 4/8/2026Modified: 4/13/2026

Related Intelligence (0)

No articles currently reference this CVE.

References (4)

https://github.com/khyrenz/parseusbs/commit/99f05996494e7e41ea0c7e13145ba20eb793e46bPatchhttps://github.com/khyrenz/parseusbs/pull/10Issue Trackinghttps://mobasi.ai/sentinelThird Party Advisoryhttps://www.vulncheck.com/advisories/parseusbs-command-injection-via-crafted-lnk-filenameThird Party Advisory