CVE-2026-40030 | THREATINT

Description

parseusbs before 1.9 contains an OS command injection vulnerability where the volume listing path argument (-v flag) is passed unsanitized into an os.popen() shell command with ls, allowing arbitrary command injection via crafted volume path arguments containing shell metacharacters. An attacker can provide a crafted volume path via the -v flag that injects arbitrary commands during volume content enumeration.

PUBLISHED Reserved 2026-04-08 | Published 2026-04-08 | Updated 2026-05-08 | Assigner VulnCheck

HIGH: 8.4CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

HIGH: 7.8CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Problem types

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

Product status

Default status

unaffected

Any version before 1.9.0

affected

1.9.0 (semver)

unaffected

99f05996494e7e41ea0c7e13145ba20eb793e46b (git)

unaffected

Credits

Mobasi Security Team finder

References

github.com/khyrenz/parseusbs/pull/10 (Pull Request) product

github.com/...ommit/99f05996494e7e41ea0c7e13145ba20eb793e46b (Patch Commit) patch

mobasi.ai/sentinel (Mobasi Sentinel Vulnerability Index) vendor-advisory

www.vulncheck.com/...mand-injection-via-volume-path-argument (VulnCheck Advisory: parseusbs < 1.9 Command Injection via Volume Path Argument) third-party-advisory

cve.org (CVE-2026-40030)

nvd.nist.gov (CVE-2026-40030)

Download JSON