High severity7.8NVD Advisory· Published Apr 8, 2026· Updated Apr 13, 2026

CVE-2026-40029

Description

parseusbs before 1.9 contains an OS command injection vulnerability in parseUSBs.py where LNK file paths are passed unsanitized into an os.popen() shell command, allowing arbitrary command execution via crafted .lnk filenames containing shell metacharacters. An attacker can craft a .lnk filename with embedded shell metacharacters that execute arbitrary commands on the forensic examiner's machine during USB artifact parsing.

Affected products

Khyrenz/Parseusbs
cpe:2.3:a:khyrenz:parseusbs:*:*:*:*:*:*:*:*
Range: <1.9

Patches

99f05996494e

https://github.com/khyrenz/parseusbsvia nvd-ref

commit

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/khyrenz/parseusbs/commit/99f05996494e7e41ea0c7e13145ba20eb793e46bnvdPatch
mobasi.ai/sentinelnvdThird Party Advisory
www.vulncheck.com/advisories/parseusbs-command-injection-via-crafted-lnk-filenamenvdThird Party Advisory
github.com/khyrenz/parseusbs/pull/10nvdIssue Tracking

News mentions

No linked articles in our index yet.

cvss	0.507
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000