CVE-2026-40029 HIGH

CVE-2026-40029: parseusbs < 1.9 Command Injection via Crafted LNK Filename

Vendor Khyrenz

Product parseusbs

Weakness CWE-78

Published April 8, 2026

Last update May 8, 2026

View on NVD All CVEs

CVSS base score

8.5/10

Attack vector Local

Attack complexity Low

Privileges required None

User interaction —

Confidentiality —

Integrity —

CVSS vector

CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

What the vulnerability does

01Description

parseusbs before 1.9 contains an OS command injection vulnerability in parseUSBs.py where LNK file paths are passed unsanitized into an os.popen() shell command, allowing arbitrary command execution via crafted .lnk filenames containing shell metacharacters. An attacker can craft a .lnk filename with embedded shell metacharacters that execute arbitrary commands on the forensic examiner's machine during USB artifact parsing.

Key dates

02Disclosure timeline

April 8, 2026 CVE published

May 8, 2026 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2026-40029 CWE — Common Weakness Enumeration https://cwe.mitre.org/data/definitions/78.html

Related vulnerabilities

CVE-2026-40029: parseusbs < 1.9 Command Injection via Crafted LNK Filename

01Description

02Disclosure timeline

03References

04Related CVE