CVE-2026-42866 | THREATINT

Description

Tookie is a advanced OSINT information gathering tool. Prior to 4.1fix, modules/modules.py's write_txt, write_csv, write_json, and (commented-but-shipping) scan_file helpers open their output as open(f"{user}.<ext>"), where user comes unsanitized from the -u CLI flag or any line of a -U usernames file. A username that contains path-separator sequences (.., /, \, or an absolute path) causes tookie-osint to write the scan output to an arbitrary path the invoking user has write permission for. This vulnerability is fixed in 4.1fix.

PUBLISHED Reserved 2026-04-30 | Published 2026-05-11 | Updated 2026-05-11 | Assigner GitHub_M

MEDIUM: 6.7CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N

Problem types

CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

CWE-73: External Control of File Name or Path

Product status

< 4.1fix

affected

References

github.com/...-osint/security/advisories/GHSA-rp68-wfv6-3cq3 exploit

github.com/...-osint/security/advisories/GHSA-rp68-wfv6-3cq3

cve.org (CVE-2026-42866)

nvd.nist.gov (CVE-2026-42866)

Download JSON