Vulnerability Description
parseusbs before 1.9 contains an OS command injection vulnerability in parseUSBs.py where LNK file paths are passed unsanitized into an os.popen() shell command, allowing arbitrary command execution via crafted .lnk filenames containing shell metacharacters. An attacker can craft a .lnk filename with embedded shell metacharacters that execute arbitrary commands on the forensic examiner's machine during USB artifact parsing.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Khyrenz | Parseusbs | < 1.9 |
Related Weaknesses (CWE)
References
- https://github.com/khyrenz/parseusbs/commit/99f05996494e7e41ea0c7e13145ba20eb793Patch
- https://github.com/khyrenz/parseusbs/pull/10Issue Tracking
- https://mobasi.ai/sentinelThird Party Advisory
- https://www.vulncheck.com/advisories/parseusbs-command-injection-via-crafted-lnkThird Party Advisory
FAQ
What is CVE-2026-40029?
CVE-2026-40029 is a vulnerability with a CVSS score of 7.8 (HIGH). parseusbs before 1.9 contains an OS command injection vulnerability in parseUSBs.py where LNK file paths are passed unsanitized into an os.popen() shell command, allowing arbitrary command execution v...
How severe is CVE-2026-40029?
CVE-2026-40029 has been rated HIGH with a CVSS base score of 7.8/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2026-40029?
Check the references section above for vendor advisories and patch information. Affected products include: Khyrenz Parseusbs.