CVE-2026-42866
Received Received - Intake
Tookie OSINT Path Traversal in Output File Handling

Publication date: 2026-05-11

Last updated on: 2026-05-11

Assigner: GitHub, Inc.

Description
Tookie is a advanced OSINT information gathering tool. Prior to 4.1fix, modules/modules.py's write_txt, write_csv, write_json, and (commented-but-shipping) scan_file helpers open their output as open(f"{user}.<ext>"), where user comes unsanitized from the -u CLI flag or any line of a -U usernames file. A username that contains path-separator sequences (.., /, \, or an absolute path) causes tookie-osint to write the scan output to an arbitrary path the invoking user has write permission for. This vulnerability is fixed in 4.1fix.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-11
Last Modified
2026-05-11
Generated
2026-06-21
AI Q&A
2026-05-11
EPSS Evaluated
2026-06-19
NVD
CVE-2026-42866
EUVD
EUVD-2026-29183
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
alfredredbird tookie-osint to 4.1 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-22 The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.
CWE-73 The product allows user input to control or influence paths or file names that are used in filesystem operations.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

The vulnerability allows arbitrary file writes within the user's write permissions due to unsanitized input used in file naming. This could lead to unauthorized modification or overwriting of files, potentially including sensitive data.

Such unauthorized file manipulation could impact compliance with standards like GDPR or HIPAA, which require strict controls over data integrity and protection against unauthorized access or alteration.

However, the vulnerability requires local execution and does not allow remote code execution, limiting the attack vector.

Mitigation involves sanitizing user input to prevent path traversal and restricting file writes to safe directories, which would help maintain compliance with data protection regulations.

Executive Summary

CVE-2026-42866 is a high-severity vulnerability in the tookie-osint tool, affecting versions 4.1 and earlier. The vulnerability arises because the tool's functions that write output files (write_txt, write_csv, write_json, and scan_file) use filenames derived directly from user input without sanitization.

Specifically, the username input from the -u CLI flag or -U usernames file can contain path-separator sequences such as '..', '/', '\', or absolute paths. This allows an attacker to cause the tool to write output files to arbitrary locations where the invoking user has write permissions, leading to an arbitrary file write vulnerability.

Although the tool forces file extensions (.txt, .csv, .json), which limits the attack surface, it does not prevent overwriting existing files or placing files in unintended directories.

Impact Analysis

This vulnerability can allow an attacker to write files to arbitrary locations on the system where the user running tookie-osint has write permissions.

An attacker could exploit this by providing a malicious usernames file or tricking a user into using a crafted -u flag, enabling partial control over the contents of files written by the tool.

The impact includes overwriting existing files or polluting directories with unwanted files, which could lead to data corruption, loss, or unexpected behavior in other applications.

However, the vulnerability requires local execution and does not allow direct remote code execution due to the forced file extensions.

Detection Guidance

This vulnerability involves the tookie-osint tool writing output files to arbitrary paths due to unsanitized user input in the -u CLI flag or -U usernames file. Detection involves checking for unexpected file writes or files created outside of intended directories when the tool is run.

You can detect potential exploitation by monitoring file creation events for files with extensions .txt, .csv, or .json that are created in unusual or sensitive directories.

Suggested commands include:

  • Use file system monitoring tools like inotifywait (Linux) to watch for new files created by tookie-osint outside expected directories.
  • Search for files created recently with the relevant extensions in unexpected locations, e.g., `find /path/to/watch -type f \( -name "*.txt" -o -name "*.csv" -o -name "*.json" \) -mtime -1` to find files created in the last day.
  • Review the command history or process execution logs for invocations of tookie-osint with suspicious -u or -U parameters containing path traversal sequences like '..', '/', or '\'.
Mitigation Strategies

Immediate mitigation involves sanitizing user input to prevent path traversal sequences in the -u CLI flag or -U usernames file before the tool writes output files.

Ensure that the tool is updated to version 4.1fix or later, where this vulnerability is fixed.

Restrict write permissions on directories where tookie-osint outputs files to limit the impact of arbitrary file writes.

Avoid running tookie-osint with untrusted usernames files or untrusted input for the -u flag.

Consider running the tool in a restricted environment or container to limit file system access.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-42866. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart