Vulnerability Description
parseusbs before 1.9 contains an OS command injection vulnerability where the volume listing path argument (-v flag) is passed unsanitized into an os.popen() shell command with ls, allowing arbitrary command injection via crafted volume path arguments containing shell metacharacters. An attacker can provide a crafted volume path via the -v flag that injects arbitrary commands during volume content enumeration.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Khyrenz | Parseusbs | < 1.9 |
Related Weaknesses (CWE)
References
- https://github.com/khyrenz/parseusbs/commit/99f05996494e7e41ea0c7e13145ba20eb793Patch
- https://github.com/khyrenz/parseusbs/pull/10Issue Tracking
- https://mobasi.ai/sentinelThird Party Advisory
- https://www.vulncheck.com/advisories/parseusbs-command-injection-via-volume-pathThird Party Advisory
FAQ
What is CVE-2026-40030?
CVE-2026-40030 is a vulnerability with a CVSS score of 7.8 (HIGH). parseusbs before 1.9 contains an OS command injection vulnerability where the volume listing path argument (-v flag) is passed unsanitized into an os.popen() shell command with ls, allowing arbitrary ...
How severe is CVE-2026-40030?
CVE-2026-40030 has been rated HIGH with a CVSS base score of 7.8/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2026-40030?
Check the references section above for vendor advisories and patch information. Affected products include: Khyrenz Parseusbs.