Medium severityNVD Advisory· Published May 11, 2026· Updated May 13, 2026
CVE-2026-42866
CVE-2026-42866
Description
Tookie is a advanced OSINT information gathering tool. Prior to 4.1fix, modules/modules.py's write_txt, write_csv, write_json, and (commented-but-shipping) scan_file helpers open their output as open(f"{user}."), where user comes unsanitized from the -u CLI flag or any line of a -U usernames file. A username that contains path-separator sequences (.., /, \, or an absolute path) causes tookie-osint to write the scan output to an arbitrary path the invoking user has write permission for. This vulnerability is fixed in 4.1fix.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
1- Range: < 4.1fix
Patches
Vulnerability mechanics
References
1News mentions
0No linked articles in our index yet.