CVE-2026-40029— parseusbs < 1.9 Command Injection via Crafted LNK Filename

parseusbs < 1.9 Command Injection via Crafted LNK Filename

parseusbs before 1.9 contains an OS command injection vulnerability in parseUSBs.py where LNK file paths are passed unsanitized into an os.popen() shell command, allowing arbitrary command execution via crafted .lnk filenames containing shell metacharacters. An attacker can craft a .lnk filename with embedded shell metacharacters that execute arbitrary commands on the forensic examiner's machine during USB artifact parsing.

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

OS命令中使用的特殊元素转义处理不恰当(OS命令注入)

parseusbs 操作系统命令注入漏洞

parseusbs是Khyrenz Ltd个人开发者的一个USB连接记录取证分析工具。 parseusbs 1.9之前版本存在操作系统命令注入漏洞，该漏洞源于parseUSBs.py中LNK文件路径未经清理即传递给os.popen() shell命令，可能导致通过特制的.lnk文件名执行任意命令。

N/A

N/A