CVE-2026-42866
Tookie OSINT Path Traversal in Output File Handling
Publication date: 2026-05-11
Last updated on: 2026-05-11
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| alfredredbird | tookie-osint | to 4.1 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-22 | The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory. |
| CWE-73 | The product allows user input to control or influence paths or file names that are used in filesystem operations. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-42866 is a high-severity vulnerability in the tookie-osint tool, affecting versions 4.1 and earlier. The vulnerability arises because the tool's functions that write output files (write_txt, write_csv, write_json, and scan_file) use filenames derived directly from user input without sanitization.
Specifically, the username input from the -u CLI flag or -U usernames file can contain path-separator sequences such as '..', '/', '\', or absolute paths. This allows an attacker to cause the tool to write output files to arbitrary locations where the invoking user has write permissions, leading to an arbitrary file write vulnerability.
Although the tool forces file extensions (.txt, .csv, .json), which limits the attack surface, it does not prevent overwriting existing files or placing files in unintended directories.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows arbitrary file writes within the user's write permissions due to unsanitized input used in file naming. This could lead to unauthorized modification or overwriting of files, potentially including sensitive data.
Such unauthorized file manipulation could impact compliance with standards like GDPR or HIPAA, which require strict controls over data integrity and protection against unauthorized access or alteration.
However, the vulnerability requires local execution and does not allow remote code execution, limiting the attack vector.
Mitigation involves sanitizing user input to prevent path traversal and restricting file writes to safe directories, which would help maintain compliance with data protection regulations.
How can this vulnerability impact me? :
This vulnerability can allow an attacker to write files to arbitrary locations on the system where the user running tookie-osint has write permissions.
An attacker could exploit this by providing a malicious usernames file or tricking a user into using a crafted -u flag, enabling partial control over the contents of files written by the tool.
The impact includes overwriting existing files or polluting directories with unwanted files, which could lead to data corruption, loss, or unexpected behavior in other applications.
However, the vulnerability requires local execution and does not allow direct remote code execution due to the forced file extensions.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves the tookie-osint tool writing output files to arbitrary paths due to unsanitized user input in the -u CLI flag or -U usernames file. Detection involves checking for unexpected file writes or files created outside of intended directories when the tool is run.
You can detect potential exploitation by monitoring file creation events for files with extensions .txt, .csv, or .json that are created in unusual or sensitive directories.
Suggested commands include:
- Use file system monitoring tools like inotifywait (Linux) to watch for new files created by tookie-osint outside expected directories.
- Search for files created recently with the relevant extensions in unexpected locations, e.g., `find /path/to/watch -type f \( -name "*.txt" -o -name "*.csv" -o -name "*.json" \) -mtime -1` to find files created in the last day.
- Review the command history or process execution logs for invocations of tookie-osint with suspicious -u or -U parameters containing path traversal sequences like '..', '/', or '\'.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation involves sanitizing user input to prevent path traversal sequences in the -u CLI flag or -U usernames file before the tool writes output files.
Ensure that the tool is updated to version 4.1fix or later, where this vulnerability is fixed.
Restrict write permissions on directories where tookie-osint outputs files to limit the impact of arbitrary file writes.
Avoid running tookie-osint with untrusted usernames files or untrusted input for the -u flag.
Consider running the tool in a restricted environment or container to limit file system access.