Description
Tookie is a advanced OSINT information gathering tool. Prior to 4.1fix, modules/modules.py's write_txt, write_csv, write_json, and (commented-but-shipping) scan_file helpers open their output as open(f"{user}.<ext>"), where user comes unsanitized from the -u CLI flag or any line of a -U usernames file. A username that contains path-separator sequences (.., /, \, or an absolute path) causes tookie-osint to write the scan output to an arbitrary path the invoking user has write permission for. This vulnerability is fixed in 4.1fix.
Published: 2026-05-11
Score: 6.7 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Tookie is an OSINT collection utility that writes output files by concatenating the raw username string supplied through the –u command‑line flag or a –U usernames file. Because the input is not sanitized, a username that contains path‐separator sequences such as .., /, or \ causes the tool to create a file at an arbitrary location on the filesystem. This vulnerability, identified as CWE‑22 and CWE‑73, allows an attacker who can run Tookie with file‑write permissions to overwrite existing files, place malicious content, or modify configuration files, thereby compromising data integrity and potentially enabling privilege escalation.

Affected Systems

The flaw exists in all releases of Alfredredbird’s Tookie OSINT that precede the 4.1fix version. Any installation of the 4.x series that has not been upgraded to 4.1fix or later is susceptible and should be considered at risk when the tool is executed with untrusted username input.

Risk and Exploitability

The CVSS base score of 6.7 indicates a moderate severity. The EPSS score is currently unavailable and the vulnerability is not listed in the CISA KEV catalog. Likely attack vectors include local execution by a user who has write access to the target filesystem, or remote execution if the tool is run in a service context with elevated privileges. Successful exploitation permits overwriting arbitrary files, which can compromise system configuration, enable persistence, or facilitate further attacks.

Generated by OpenCVE AI on May 11, 2026 at 19:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to Alfredredbird Tookie OSINT version 4.1fix or later to eliminate the unvalidated filename handling.
  • If an immediate upgrade is not possible, restrict write permissions on the output directory to trusted users only or run the tool under a dedicated minimal‑privilege account.
  • Implement input validation or sanitization for all username values supplied via –u or –U, rejecting characters that could form a path separator or relative traversal before file creation.

Generated by OpenCVE AI on May 11, 2026 at 19:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 12 May 2026 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 12 May 2026 10:45:00 +0000

Type Values Removed Values Added
First Time appeared Alfredredbird
Alfredredbird tookie-osint
Vendors & Products Alfredredbird
Alfredredbird tookie-osint

Mon, 11 May 2026 18:45:00 +0000

Type Values Removed Values Added
Description Tookie is a advanced OSINT information gathering tool. Prior to 4.1fix, modules/modules.py's write_txt, write_csv, write_json, and (commented-but-shipping) scan_file helpers open their output as open(f"{user}.<ext>"), where user comes unsanitized from the -u CLI flag or any line of a -U usernames file. A username that contains path-separator sequences (.., /, \, or an absolute path) causes tookie-osint to write the scan output to an arbitrary path the invoking user has write permission for. This vulnerability is fixed in 4.1fix.
Title Tookie: Arbitrary file write via path traversal in -u username / -U userfile output filename
Weaknesses CWE-22
CWE-73
References
Metrics cvssV4_0

{'score': 6.7, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Alfredredbird Tookie-osint
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-11T18:36:50.830Z

Reserved: 2026-04-30T18:49:06.710Z

Link: CVE-2026-42866

cve-icon Vulnrichment

Updated: 2026-05-11T18:36:45.229Z

cve-icon NVD

Status : Received

Published: 2026-05-11T19:16:24.617

Modified: 2026-05-11T20:25:43.237

Link: CVE-2026-42866

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-12T09:22:31Z

Weaknesses