Description
The NVDA Dev & Test Toolbox is an NVDA add-on for gathering tools to help NVDA development and testing. A vulnerability exists in versions 2.0 through 8.0 in the Log Reader feature of this add-on. A maliciously crafted log file can lead to arbitrary code execution when a user reads it with log reader commands. The log reading command process speech log entries in an unsafe manner. Python expressions embedded in the log may be evaluated when when speech entries are read with log reading commands. An attacker can exploit this by convincing a user to open a malicious crafted log file and to analyze it using the log reading commands. When the log is read, attacker-controlled code may execute with the privileges of the current user.
This issue does not require elevated privileges and relies solely on user interaction (opening the log file). Version 9.0 contains a fix for the issue. As a workaround, avoid using log reading commands, or at least, commands to move to next/previous log message (any message or commands for each type of message). For more security, one may disable their gestures in the input gesture dialog.
Published: 2026-02-26
Score: 7.8 High
EPSS: < 1% Very Low
KEV: No
Impact: Arbitrary Code Execution
Action: Patch Now
AI Analysis

Impact

The add‑on contains a Log Reader feature that processes speech log entries in an unsafe way. Maliciously crafted logs can embed Python expressions that are evaluated while the log is read. When a user opens such a file and triggers a log reading command, attacker‑controlled code runs with the privileges of the current Windows account, allowing disclosure of data, modification of files, or further compromise. The flaw stems from the use of an unsafe evaluation function, classified as CWE‑943.

Affected Systems

The vulnerability affects versions 2.0 through 8.0 of the NVDA Dev & Test Toolbox add‑on, developed by CyrilleB79. Version 9.0 includes a patch that disables the unsafe evaluation path. Only installations of the add‑on that have not been updated to 9.0 are at risk.

Risk and Exploitability

The flaw has a CVSS score of 7.8, indicating a high severity, but the EPSS score is below 1 % and the issue does not appear in the KEV catalog, reflecting a low current exploitation probability. An attacker would need to entice a user to open a malicious log file and invoke a log reading command. The exploit does not require elevated privileges and is therefore easy to trigger through user interaction or social engineering. While the likelihood of widespread exploitation remains low, the potential impact is significant if the user is running the add‑on without the latest update.

Generated by OpenCVE AI on April 16, 2026 at 15:57 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the NVDA Dev & Test Toolbox to version 9.0 or later to apply the official fix.
  • As an interim measure, refrain from using log reader or navigation commands on any log file.
  • Disable gesture shortcuts that trigger log reading commands in the NVDA input gesture dialog to reduce accidental execution.

Generated by OpenCVE AI on April 16, 2026 at 15:57 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 27 Feb 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 27 Feb 2026 09:15:00 +0000

Type Values Removed Values Added
First Time appeared Cyrilleb79
Cyrilleb79 nvda-dev-test-toolbox
Vendors & Products Cyrilleb79
Cyrilleb79 nvda-dev-test-toolbox

Thu, 26 Feb 2026 22:45:00 +0000

Type Values Removed Values Added
Description The NVDA Dev & Test Toolbox is an NVDA add-on for gathering tools to help NVDA development and testing. A vulnerability exists in versions 2.0 through 8.0 in the Log Reader feature of this add-on. A maliciously crafted log file can lead to arbitrary code execution when a user reads it with log reader commands. The log reading command process speech log entries in an unsafe manner. Python expressions embedded in the log may be evaluated when when speech entries are read with log reading commands. An attacker can exploit this by convincing a user to open a malicious crafted log file and to analyze it using the log reading commands. When the log is read, attacker-controlled code may execute with the privileges of the current user. This issue does not require elevated privileges and relies solely on user interaction (opening the log file). Version 9.0 contains a fix for the issue. As a workaround, avoid using log reading commands, or at least, commands to move to next/previous log message (any message or commands for each type of message). For more security, one may disable their gestures in the input gesture dialog.
Title Arbitrary code execution in log reader via untrusted log file
Weaknesses CWE-943
References
Metrics cvssV3_1

{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}

Subscriptions

Cyrilleb79 Nvda-dev-test-toolbox
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-02-27T18:52:30.864Z

Reserved: 2026-02-25T15:28:40.649Z

Link: CVE-2026-28211

cve-icon Vulnrichment

Updated: 2026-02-27T18:52:12.589Z

cve-icon NVD

Status : Deferred

Published: 2026-02-26T23:16:35.600

Modified: 2026-04-15T00:35:42.020

Link: CVE-2026-28211

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T16:00:13Z

Weaknesses