CVE-2026-40029

HIGH 7.8

parseusbs < 1.9 Command Injection via Crafted LNK Filename

CVSS Score

7.8

EPSS Score

0.0%

EPSS Percentile

6th

parseusbs before 1.9 contains an OS command injection vulnerability in parseUSBs.py where LNK file paths are passed unsanitized into an os.popen() shell command, allowing arbitrary command execution via crafted .lnk filenames containing shell metacharacters. An attacker can craft a .lnk filename with embedded shell metacharacters that execute arbitrary commands on the forensic examiner's machine during USB artifact parsing.

CWE	CWE-78
Vendor	khyrenz
Product	parseusbs
Published	Apr 8, 2026
Last Updated	Apr 9, 2026

Stay Ahead of the Next One

Get instant alerts for khyrenz parseusbs

Be the first to know when new high vulnerabilities affecting khyrenz parseusbs are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Attack Vector

Local

Attack Complexity

Low

Privileges Required

None

User Interaction

Required

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Affected Versions

khyrenz / parseusbs

0 < 1.9

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/khyrenz/parseusbs/pull/10 github.com: https://github.com/khyrenz/parseusbs/commit/99f05996494e7e41ea0c7e13145ba20eb793e46b mobasi.ai: https://mobasi.ai/sentinel vulncheck.com: https://www.vulncheck.com/advisories/parseusbs-command-injection-via-crafted-lnk-filename

Credits

Mobasi Security Team