CVE-2026-40029
OS Command Injection in parseusbs parseUSBs.py via Malicious LNK Files
Publication date: 2026-04-08
Last updated on: 2026-04-13
Assigner: VulnCheck
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| khyrenz | parseusbs | to 1.9 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-78 | The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component. |
Attack-Flow Graph
AI Powered Q&A
How can this vulnerability impact me? :
This vulnerability can lead to arbitrary command execution on the machine running the vulnerable parseusbs software. An attacker can exploit this by crafting malicious .lnk filenames that, when parsed, execute commands with the privileges of the user running the software. This can result in compromise of confidentiality, integrity, and availability of the system.
Can you explain this vulnerability to me?
The vulnerability exists in parseusbs before version 1.9, specifically in the parseUSBs.py script. It involves an OS command injection where LNK file paths are passed without proper sanitization into an os.popen() shell command. This allows an attacker to craft a .lnk filename containing shell metacharacters that can execute arbitrary commands on the forensic examiner's machine during USB artifact parsing.