OS Command Injection Vulnerability in Parseusbs by Khyrenz
CVE-2026-40029

8.5HIGH

Key Information:

Vendor

Khyrenz

Status
Parseusbs
Vendor
CVE Published:
8 April 2026

What is CVE-2026-40029?

The Parseusbs tool by Khyrenz, prior to version 1.9, is susceptible to an OS command injection flaw. This vulnerability arises in the parseUSBs.py script, where file paths from .lnk files are improperly sanitized before being executed in a shell command via os.popen(). Malicious actors can exploit this issue by crafting .lnk filenames that include shell metacharacters, leading to arbitrary command execution on the machine that parses USB artifacts. This poses significant risks to forensic examiners and their systems, making it essential for users to update to the latest version to mitigate potential attacks.

Affected Version(s)

parseusbs 0 < 1.9

parseusbs 1.9

parseusbs 99f05996494e7e41ea0c7e13145ba20eb793e46b

References

https://github.com/khyrenz/parseusbs/pull/10
product
https://github.com/khyrenz/parseusbs/commit/99f05996494e7...
patch
https://mobasi.ai/sentinel
vendor-advisory

CVSS V4

Score:
8.5
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Local
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
Unknown

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Mobasi Security Team
.