exploitDog

GHSA-pqxv-pjgq-x85w

Опубликовано: 09 апр. 2026

Источник: github

Github: Не прошло ревью

CVSS4: 8.4

CVSS3: 7.8

Описание

parseusbs before 1.9 contains an OS command injection vulnerability where the volume listing path argument (-v flag) is passed unsanitized into an os.popen() shell command with ls, allowing arbitrary command injection via crafted volume path arguments containing shell metacharacters. An attacker can provide a crafted volume path via the -v flag that injects arbitrary commands during volume content enumeration.

parseusbs before 1.9 contains an OS command injection vulnerability where the volume listing path argument (-v flag) is passed unsanitized into an os.popen() shell command with ls, allowing arbitrary command injection via crafted volume path arguments containing shell metacharacters. An attacker can provide a crafted volume path via the -v flag that injects arbitrary commands during volume content enumeration.

Ссылки

EPSS

Процентиль: 5%

0.0002

Низкий

8.4 High

CVSS4

7.8 High

CVSS3

CVE ID

Дефекты

CWE-78

Связанные уязвимости

CVE-2026-40030

CVSS3: 7.8

nvd

4 дня назад

parseusbs before 1.9 contains an OS command injection vulnerability where the volume listing path argument (-v flag) is passed unsanitized into an os.popen() shell command with ls, allowing arbitrary command injection via crafted volume path arguments containing shell metacharacters. An attacker can provide a crafted volume path via the -v flag that injects arbitrary commands during volume content enumeration.

EPSS

Процентиль: 5%

0.0002

Низкий

8.4 High

CVSS4

7.8 High

CVSS3

CVE ID

Дефекты

CWE-78