CVE-2026-40030
HIGH WAF: High
CVSS 7.8
Published: 2026-04-08
CWE-78
parseusbs before 1.9 contains an OS command injection vulnerability where the volume listing path argument (-v flag) is passed unsanitized into an os.popen() shell command with ls, allowing arbitrary command injection via crafted volume path arguments containing shell metacharacters. An attacker can provide a crafted volume path via the -v flag that injects arbitrary commands during volume content enumeration.
WAF Coverage Analysis
OS Command Injection
High WAF Coverage
OWASP: A03:2021 Injection
932xxx - Remote Code Execution
Affected Software
| Vendor | Product | Version |
|---|---|---|
| khyrenz | parseusbs | up to 1.9 |
References
- github.com (Patch)
- github.com (Issue Tracking)
- mobasi.ai (Third Party Advisory)
- www.vulncheck.com (Third Party Advisory)