{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-40029", "assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "state": "PUBLISHED", "assignerShortName": "VulnCheck", "dateReserved": "2026-04-08T13:36:49.290Z", "datePublished": "2026-04-08T21:35:24.801Z", "dateUpdated": "2026-04-08T21:35:24.801Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "shortName": "VulnCheck", "dateUpdated": "2026-04-08T21:35:24.801Z"}, "title": "parseusbs < 1.9 Command Injection via Crafted LNK Filename", "descriptions": [{"lang": "en", "value": "parseusbs before 1.9 contains an OS command injection vulnerability in parseUSBs.py where LNK file paths are passed unsanitized into an os.popen() shell command, allowing arbitrary command execution via crafted .lnk filenames containing shell metacharacters. An attacker can craft a .lnk filename with embedded shell metacharacters that execute arbitrary commands on the forensic examiner's machine during USB artifact parsing."}], "tags": ["x_open-source"], "datePublic": "2026-02-08T00:00:00.000Z", "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-78", "description": "Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') (CWE-78)", "type": "CWE"}]}], "affected": [{"vendor": "khyrenz", "product": "parseusbs", "defaultStatus": "unaffected", "versions": [{"version": "0", "status": "affected", "lessThan": "1.9", "versionType": "semver"}, {"version": "1.9", "status": "unaffected", "versionType": "semver"}, {"status": "unaffected", "version": "99f05996494e7e41ea0c7e13145ba20eb793e46b", "versionType": "git"}]}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV4_0": {"attackVector": "LOCAL", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "PASSIVE", "vulnConfidentialityImpact": "HIGH", "subConfidentialityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "subIntegrityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "version": "4.0", "baseSeverity": "HIGH", "baseScore": 8.5, "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"}}, {"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV3_1": {"attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH", "version": "3.1", "baseSeverity": "HIGH", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"}}], "references": [{"url": "https://github.com/khyrenz/parseusbs/pull/10", "name": "Pull Request", "tags": ["product"]}, {"url": "https://github.com/khyrenz/parseusbs/commit/99f05996494e7e41ea0c7e13145ba20eb793e46b", "name": "Patch Commit", "tags": ["patch"]}, {"url": "https://mobasi.ai/sentinel", "name": "Mobasi Sentinel Vulnerability Index", "tags": ["vendor-advisory"]}, {"name": "VulnCheck Advisory: parseusbs < 1.9 Command Injection via Crafted LNK Filename", "tags": ["third-party-advisory"], "url": "https://www.vulncheck.com/advisories/parseusbs-command-injection-via-crafted-lnk-filename"}], "credits": [{"lang": "en", "value": "Mobasi Security Team", "type": "finder"}], "x_generator": {"engine": "vulncheck"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "parseusbs before 1.9 contains an OS command injection vulnerability in parseUSBs.py where LNK file paths are passed unsanitized into an os.popen() shell command, allowing arbitrary command execution via crafted .lnk filenames containing shell metacharacters. An attacker can craft a .lnk filename with embedded shell metacharacters that execute arbitrary commands on the forensic examiner's machine during USB artifact parsing."}], "id": "CVE-2026-40029", "lastModified": "2026-04-08T22:16:23.303", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 5.9, "source": "disclosure@vulncheck.com", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "LOCAL", "availabilityRequirement": "NOT_DEFINED", "baseScore": 8.5, "baseSeverity": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "PASSIVE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "disclosure@vulncheck.com", "type": "Secondary"}]}, "published": "2026-04-08T22:16:23.303", "references": [{"source": "disclosure@vulncheck.com", "url": "https://github.com/khyrenz/parseusbs/commit/99f05996494e7e41ea0c7e13145ba20eb793e46b"}, {"source": "disclosure@vulncheck.com", "url": "https://github.com/khyrenz/parseusbs/pull/10"}, {"source": "disclosure@vulncheck.com", "url": "https://mobasi.ai/sentinel"}, {"source": "disclosure@vulncheck.com", "url": "https://www.vulncheck.com/advisories/parseusbs-command-injection-via-crafted-lnk-filename"}], "sourceIdentifier": "disclosure@vulncheck.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-78"}], "source": "disclosure@vulncheck.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,1.9)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "1.9"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "code_commit", "value": "99f05996494e7e41ea0c7e13145ba20eb793e46b"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "parseusbs", "source": "cna", "vendor": "khyrenz"}, "product": "parseusbs", "vendor": "khyrenz"}], "analysis": {"en": {"generated_at": "2026-04-08T22:53:24.393039+00:00", "value": {"mitigation_remediation": ["Upgrade parseusbs to version 1.9 or newer, where the command injection issue is fixed.", "If an upgrade is not immediately possible, move the USB parsing process to a secure, read\u2011only folder and avoid processing untrusted .lnk files.", "Alternatively, disable the os.popen() call or modify parseUSBs.py to sanitize input by removing shell metacharacters before execution.", "Run parseusbs with the least privileges necessary and monitor logs for unexpected shell command activity."], "summary": {"action": "Immediate Patch", "impact": "Arbitrary Command Execution"}, "threat_synthesis": {"affected_systems": "The affected product is parseusbs, distributed by the developer khyrenz. Any version older than 1.9 is vulnerable. No other vendors or product lines are listed as impacted in the official advisory.", "description_and_impact": "The vulnerability resides in parseusbs versions earlier than 1.9 and allows an attacker to execute arbitrary operating\u2011system commands during USB artifact parsing. The Python script invokes os.popen() with a LNK file path that is directly taken from the filename, without any sanitization. By crafting a .lnk file that contains shell metacharacters, an attacker can inject shell commands that the script will execute on the host machine. This is an OS command injection flaw (CWE\u201178) that provides the attacker with the ability to alter or read data and potentially take control of the forensic workstation.", "risk_and_exploitability": "The CVSS base score of 8.5 indicates a high severity risk. No EPSS score is available and the vulnerability is not listed in the CISA KEV catalog. The likely attack vector is the local attacker with access to a USB drive; by placing a specially named .lnk file on the drive and having parseusbs parse it, the attacker can exploit the unsanitized file name. Based on the description, it is inferred that the attacker would need control of the USB device to supply the crafted filename. The exploit path is straightforward: the script passes the filename to os.popen(), so any shell metacharacters embedded in the name are executed. Because the flaw is exercised during normal artifact parsing, an attacker with local or remote USB injection could compromise the forensic workstation. The lack of input validation and the use of a shell invocation make exploitation simple under the given conditions."}}}}, "created": "2026-04-09T08:16:27.571137+00:00", "updated": "2026-04-09T08:25:53.556448+00:00", "vendors": ["khyrenz", "khyrenz$PRODUCT$parseusbs"]}