CVE-2026-40030— parseusbs < 1.9 Command Injection via Volume Path Argument

parseusbs < 1.9 Command Injection via Volume Path Argument

parseusbs before 1.9 contains an OS command injection vulnerability where the volume listing path argument (-v flag) is passed unsanitized into an os.popen() shell command with ls, allowing arbitrary command injection via crafted volume path arguments containing shell metacharacters. An attacker can provide a crafted volume path via the -v flag that injects arbitrary commands during volume content enumeration.

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

OS命令中使用的特殊元素转义处理不恰当(OS命令注入)

parseusbs 操作系统命令注入漏洞

parseusbs是Khyrenz Ltd个人开发者的一个USB连接记录取证分析工具。 parseusbs 1.9之前版本存在操作系统命令注入漏洞，该漏洞源于卷列表路径参数未经清理即传递给带有ls的os.popen() shell命令，可能导致通过特制的卷路径参数注入任意命令。

N/A

N/A