Vulnerability Description
Tookie is a advanced OSINT information gathering tool. Prior to 4.1fix, modules/modules.py's write_txt, write_csv, write_json, and (commented-but-shipping) scan_file helpers open their output as open(f"{user}.<ext>"), where user comes unsanitized from the -u CLI flag or any line of a -U usernames file. A username that contains path-separator sequences (.., /, \, or an absolute path) causes tookie-osint to write the scan output to an arbitrary path the invoking user has write permission for. This vulnerability is fixed in 4.1fix.
Related Weaknesses (CWE)
References
- https://github.com/Alfredredbird/tookie-osint/security/advisories/GHSA-rp68-wfv6
- https://github.com/Alfredredbird/tookie-osint/security/advisories/GHSA-rp68-wfv6
FAQ
What is CVE-2026-42866?
CVE-2026-42866 is a documented vulnerability. Tookie is a advanced OSINT information gathering tool. Prior to 4.1fix, modules/modules.py's write_txt, write_csv, write_json, and (commented-but-shipping) scan_file helpers open their output as open(...
How severe is CVE-2026-42866?
CVSS scoring is not yet available for CVE-2026-42866. Check NVD for updates.
Is there a patch for CVE-2026-42866?
Check the references section above for vendor advisories and patch information. Review vendor security bulletins for remediation guidance.