CVE-2026-42866
Tookie: Arbitrary file write via path traversal in -u username / -U userfile output filename
CVSS Score
0.0
EPSS Score
0.0%
EPSS Percentile
0th
Tookie is a advanced OSINT information gathering tool. Prior to 4.1fix, modules/modules.py's write_txt, write_csv, write_json, and (commented-but-shipping) scan_file helpers open their output as open(f"{user}.<ext>"), where user comes unsanitized from the -u CLI flag or any line of a -U usernames file. A username that contains path-separator sequences (.., /, \, or an absolute path) causes tookie-osint to write the scan output to an arbitrary path the invoking user has write permission for. This vulnerability is fixed in 4.1fix.
| CWE | CWE-22 CWE-73 |
| Vendor | alfredredbird |
| Product | tookie-osint |
| Published | May 11, 2026 |
| Last Updated | May 11, 2026 |
Stay Ahead of the Next One
Get instant alerts for alfredredbird tookie-osint
Be the first to know when new unknown vulnerabilities affecting alfredredbird tookie-osint are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
Affected Versions
Alfredredbird / tookie-osint
< 4.1fix