Description
parseusbs before 1.9 contains an OS command injection vulnerability in parseUSBs.py where LNK file paths are passed unsanitized into an os.popen() shell command, allowing arbitrary command execution via crafted .lnk filenames containing shell metacharacters. An attacker can craft a .lnk filename with embedded shell metacharacters that execute arbitrary commands on the forensic examiner's machine during USB artifact parsing.
Published: 2026-04-08
Score: 8.5 High
EPSS: < 1% Very Low
KEV: No
Impact: Arbitrary Command Execution
Action: Patch Immediately
AI Analysis

Impact

The vulnerability is an OS command injection flaw in parseusbs, present in all versions before 1.9, caused by unsanitized .lnk filenames being fed directly into an os.popen() shell command. An attacker can craft a .lnk filename containing shell metacharacters, causing the forensic parser to execute arbitrary commands on the host machine. This flaw is a classic command‑line injection (CWE‑78) that can lead to full control of the machine running the parser.

Affected Systems

The affected product is parseusbs by khyrenz. All installations of parseusbs older than version 1.9 are vulnerable. No specific sub‑version is listed beyond the major release cutoff.

Risk and Exploitability

The CVSS score of 8.5 indicates a high severity vulnerability. The EPSS score is below 1%, meaning real‑world exploitation is currently unlikely, but the issue is not listed in the CISA KEV catalog. Exploitation requires an attacker to provide a USB drive with a specially crafted .lnk file and run parseusbs on a machine that will parse that file; thus the attack vector is local‑file based with the ability to execute arbitrary system commands.

Generated by OpenCVE AI on April 13, 2026 at 21:37 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update parseusbs to version 1.9 or later, or apply the patch available in commit 99f05996494e7e41ea0c7e13145ba20eb793e46b.
  • Avoid parsing USB drives that contain unknown or suspicious .lnk files until an update is applied.
  • If an update cannot be applied immediately, configure parseusbs to reject or sanitize filenames containing shell metacharacters before executing the parsing logic.
  • Audit parsing logs to detect any unexpected command execution attempts.

Generated by OpenCVE AI on April 13, 2026 at 21:37 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 13 Apr 2026 20:30:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:khyrenz:parseusbs:*:*:*:*:*:*:*:*

Thu, 09 Apr 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 09 Apr 2026 08:30:00 +0000

Type Values Removed Values Added
First Time appeared Khyrenz
Khyrenz parseusbs
Vendors & Products Khyrenz
Khyrenz parseusbs

Wed, 08 Apr 2026 21:45:00 +0000

Type Values Removed Values Added
Description parseusbs before 1.9 contains an OS command injection vulnerability in parseUSBs.py where LNK file paths are passed unsanitized into an os.popen() shell command, allowing arbitrary command execution via crafted .lnk filenames containing shell metacharacters. An attacker can craft a .lnk filename with embedded shell metacharacters that execute arbitrary commands on the forensic examiner's machine during USB artifact parsing.
Title parseusbs < 1.9 Command Injection via Crafted LNK Filename
Weaknesses CWE-78
References
Metrics cvssV3_1

{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}

cvssV4_0

{'score': 8.5, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Khyrenz Parseusbs
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-05-08T14:07:46.380Z

Reserved: 2026-04-08T13:36:49.290Z

Link: CVE-2026-40029

cve-icon Vulnrichment

Updated: 2026-04-09T14:48:28.046Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-08T22:16:23.303

Modified: 2026-06-17T10:44:37.850

Link: CVE-2026-40029

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-14T16:37:01Z

Weaknesses
  • CWE-78

    Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')