OS Command Injection in parseusbs by Khyrenz
CVE-2026-40030

8.4HIGH

Key Information:

Vendor

Khyrenz

Status
Parseusbs
Vendor
CVE Published:
8 April 2026

What is CVE-2026-40030?

In parseusbs versions prior to 1.9, an OS command injection flaw exists due to the vulnerable handling of the volume listing path argument specified by the -v flag. This argument is passed unsanitized to an os.popen() command, enabling attackers to inject arbitrary shell commands through crafted volume path arguments that include shell metacharacters. This vulnerability allows unauthorized execution of commands during volume content enumeration, posing significant security risks.

Affected Version(s)

parseusbs 0 < 1.9

parseusbs 1.9

parseusbs 99f05996494e7e41ea0c7e13145ba20eb793e46b

References

https://github.com/khyrenz/parseusbs/pull/10
product
https://github.com/khyrenz/parseusbs/commit/99f05996494e7...
patch
https://mobasi.ai/sentinel
vendor-advisory

CVSS V4

Score:
8.4
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Local
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
Unknown

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Mobasi Security Team
.