CVE-2019-12761
Description
A code injection vulnerability in PyXDG before 0.26 allows arbitrary code execution via unsanitized Category elements in .menu XML files.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A code injection vulnerability in PyXDG before 0.26 allows arbitrary code execution via unsanitized Category elements in .menu XML files.
Vulnerability
Description
CVE-2019-12761 is a code injection vulnerability in PyXDG versions prior to 0.26. The flaw exists in the xdg/Menu.py module, which handles the parsing of .menu XML files according to the freedesktop.org Menu Specification. The root cause is the lack of sanitization of the Category element content before it is passed to Python's eval() function. An attacker can embed arbitrary Python code within a Category element, which will be executed when the menu is parsed [1][2].
Exploitation
Conditions
Exploitation requires the attacker to control a .menu file whose Category element contains crafted Python code. The file must be placed in a directory that is part of the XDG_CONFIG_DIRS environment variable, causing xdg.Menu.parse() to process it. No authentication is required, but the victim must either be tricked into running an application that parses such a menu file or the attacker must be able to write to a location scanned by the XDG menu system. A proof-of-concept using __import__('os').system() demonstrates successful command execution [2][3].
Impact
Successful exploitation allows arbitrary code execution in the context of the user or application that triggers the menu parsing. An attacker could execute system commands, install malware, escalate privileges, or steal sensitive data. The vulnerability is particularly dangerous because it can be triggered without explicit user interaction beyond running a desktop environment or tool that reads XDG menus [1][4].
Mitigation
Status
The vulnerability has been fixed in PyXDG version 0.26. Users should upgrade immediately. No workarounds are known; removing untrusted .menu files from XDG_CONFIG_DIRS paths can reduce risk but is not a complete solution. The vulnerability is tracked in the PyPI advisory database (PYSEC-2019-199) [4].
- NVD - CVE-2019-12761
- Proof-of-Concept for python-xdg 0.25 Python code injection (CVE-2019-12761)
- GitHub - takluyver/pyxdg: PyXDG provides Python implementations of various freedesktop.org specifications. This is the Giithub mirror.
- advisory-database/vulns/pyxdg/PYSEC-2019-199.yaml at main · pypa/advisory-database
AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
pyxdgPyPI | < 0.26 | 0.26 |
Affected products
12- PyXDG/PyXDGdescription
- ghsa-coords11 versionspkg:pypi/pyxdgpkg:rpm/suse/python-pyxdg&distro=SUSE%20Enterprise%20Storage%206pkg:rpm/suse/python-pyxdg&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP1-ESPOSpkg:rpm/suse/python-pyxdg&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP1-LTSSpkg:rpm/suse/python-pyxdg&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015-ESPOSpkg:rpm/suse/python-pyxdg&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015-LTSSpkg:rpm/suse/python-pyxdg&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP1-BCLpkg:rpm/suse/python-pyxdg&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP1-LTSSpkg:rpm/suse/python-pyxdg&distro=SUSE%20Linux%20Enterprise%20Server%2015-LTSSpkg:rpm/suse/python-pyxdg&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015pkg:rpm/suse/python-pyxdg&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP1
< 0.26+ 10 more
- (no CPE)range: < 0.26
- (no CPE)range: < 0.25-150000.3.3.1
- (no CPE)range: < 0.25-150000.3.3.1
- (no CPE)range: < 0.25-150000.3.3.1
- (no CPE)range: < 0.25-150000.3.3.1
- (no CPE)range: < 0.25-150000.3.3.1
- (no CPE)range: < 0.25-150000.3.3.1
- (no CPE)range: < 0.25-150000.3.3.1
- (no CPE)range: < 0.25-150000.3.3.1
- (no CPE)range: < 0.25-150000.3.3.1
- (no CPE)range: < 0.25-150000.3.3.1
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Missing input sanitization in xdg/Menu.py before an eval() call allows arbitrary Python code injection via a Category element in a .menu XML file."
Attack vector
An attacker crafts a `.menu` XML file containing a `Category` element with malicious Python code (e.g., `' or __import__('os').system('ls > /tmp/result.txt') or '`) [ref_id=2]. The attacker then sets `XDG_CONFIG_DIRS` to point to a directory containing this file, so that when `xdg.Menu.parse()` is called, the file is loaded and the unsanitized `eval()` call executes the injected code [CWE-94][ref_id=1][ref_id=3]. No authentication is required; the attacker only needs the ability to place a `.menu` file in a location that will be parsed and to influence the `XDG_CONFIG_DIRS` environment variable.
Affected code
The vulnerability resides in `xdg/Menu.py` [ref_id=1][ref_id=2][ref_id=3]. The `parse()` function in that file processes a `.menu` XML document and, when encountering a `Category` element, passes its content directly to Python's `eval()` without sanitization [ref_id=1][ref_id=3].
What the fix does
The fix in PyXDG 0.26 removes or replaces the unsanitized `eval()` call in `xdg/Menu.py` with safe parsing logic that does not interpret `Category` element content as Python code [ref_id=1][ref_id=3]. The advisory recommends upgrading to version 0.26 or higher [ref_id=3]; no patch diff is provided in the bundle, but the remediation is to eliminate the dangerous `eval()` on untrusted input.
Preconditions
- inputAttacker must be able to place a crafted .menu file in a directory that will be parsed
- configXDG_CONFIG_DIRS must be set to include the directory containing the malicious .menu file
- inputThe application must call xdg.Menu.parse() on the affected menu file
Reproduction
The PoC script in [ref_id=2] demonstrates reproduction: create a temporary directory, write a `.menu` file with a `Category` element containing `' or __import__('os').system('ls > /tmp/result.txt') or '`, set `XDG_CONFIG_DIRS` to that directory, and call `xdg.Menu.parse()`. The injected `os.system()` command executes, writing output to `/tmp/result.txt`.
Generated on May 27, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
7- github.com/advisories/GHSA-r6v3-hpxj-r8rvghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2019-12761ghsaADVISORY
- gist.github.com/dhondta/b45cd41f4186110a354dc7272916febaghsax_refsource_MISCWEB
- github.com/pypa/advisory-database/tree/main/vulns/pyxdg/PYSEC-2019-199.yamlghsaWEB
- lists.debian.org/debian-lts-announce/2019/06/msg00006.htmlghsamailing-listx_refsource_MLISTWEB
- lists.debian.org/debian-lts-announce/2021/08/msg00003.htmlghsamailing-listx_refsource_MLISTWEB
- snyk.io/vuln/SNYK-PYTHON-PYXDG-174562ghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.