{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-40030", "assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "state": "PUBLISHED", "assignerShortName": "VulnCheck", "dateReserved": "2026-04-08T13:36:50.661Z", "datePublished": "2026-04-08T21:35:25.533Z", "dateUpdated": "2026-05-08T14:07:34.972Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "shortName": "VulnCheck", "dateUpdated": "2026-05-08T14:07:34.972Z"}, "title": "parseusbs < 1.9 Command Injection via Volume Path Argument", "descriptions": [{"lang": "en", "value": "parseusbs before 1.9 contains an OS command injection vulnerability where the volume listing path argument (-v flag) is passed unsanitized into an os.popen() shell command with ls, allowing arbitrary command injection via crafted volume path arguments containing shell metacharacters. An attacker can provide a crafted volume path via the -v flag that injects arbitrary commands during volume content enumeration."}], "tags": ["x_open-source"], "datePublic": "2026-02-08T00:00:00.000Z", "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-78", "description": "Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')", "type": "CWE"}]}], "affected": [{"vendor": "khyrenz", "product": "parseusbs", "defaultStatus": "unaffected", "versions": [{"version": "0", "status": "affected", "lessThan": "1.9.0", "versionType": "semver"}, {"version": "1.9.0", "status": "unaffected", "versionType": "semver"}, {"status": "unaffected", "version": "99f05996494e7e41ea0c7e13145ba20eb793e46b", "versionType": "git"}]}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV4_0": {"attackVector": "LOCAL", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "ACTIVE", "vulnConfidentialityImpact": "HIGH", "subConfidentialityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "subIntegrityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "version": "4.0", "baseSeverity": "HIGH", "baseScore": 8.4, "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"}}, {"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV3_1": {"attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH", "version": "3.1", "baseSeverity": "HIGH", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"}}], "references": [{"url": "https://github.com/khyrenz/parseusbs/pull/10", "name": "Pull Request", "tags": ["product"]}, {"url": "https://github.com/khyrenz/parseusbs/commit/99f05996494e7e41ea0c7e13145ba20eb793e46b", "name": "Patch Commit", "tags": ["patch"]}, {"url": "https://mobasi.ai/sentinel", "name": "Mobasi Sentinel Vulnerability Index", "tags": ["vendor-advisory"]}, {"name": "VulnCheck Advisory: parseusbs < 1.9 Command Injection via Volume Path Argument", "tags": ["third-party-advisory"], "url": "https://www.vulncheck.com/advisories/parseusbs-command-injection-via-volume-path-argument"}], "credits": [{"lang": "en", "value": "Mobasi Security Team", "type": "finder"}], "x_generator": {"engine": "vulncheck"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-09T18:07:55.498397Z", "id": "CVE-2026-40030", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-09T18:10:49.070Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-40030", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-04-09T18:07:55.498397Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-09T18:09:39.436Z"}}], "cna": {"tags": ["x_open-source"], "title": "parseusbs < 1.9 Command Injection via Volume Path Argument", "credits": [{"lang": "en", "type": "finder", "value": "Mobasi Security Team"}], "metrics": [{"format": "CVSS", "cvssV4_0": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 8.4, "Automatable": "NOT_DEFINED", "attackVector": "LOCAL", "baseSeverity": "HIGH", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "ACTIVE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}, {"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.8, "attackVector": "LOCAL", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "khyrenz", "product": "parseusbs", "versions": [{"status": "affected", "version": "0", "lessThan": "1.9.0", "versionType": "semver"}, {"status": "unaffected", "version": "1.9.0", "versionType": "semver"}, {"status": "unaffected", "version": "99f05996494e7e41ea0c7e13145ba20eb793e46b", "versionType": "git"}], "defaultStatus": "unaffected"}], "datePublic": "2026-02-08T00:00:00.000Z", "references": [{"url": "https://github.com/khyrenz/parseusbs/pull/10", "name": "Pull Request", "tags": ["product"]}, {"url": "https://github.com/khyrenz/parseusbs/commit/99f05996494e7e41ea0c7e13145ba20eb793e46b", "name": "Patch Commit", "tags": ["patch"]}, {"url": "https://mobasi.ai/sentinel", "name": "Mobasi Sentinel Vulnerability Index", "tags": ["vendor-advisory"]}, {"url": "https://www.vulncheck.com/advisories/parseusbs-command-injection-via-volume-path-argument", "name": "VulnCheck Advisory: parseusbs < 1.9 Command Injection via Volume Path Argument", "tags": ["third-party-advisory"]}], "x_generator": {"engine": "vulncheck"}, "descriptions": [{"lang": "en", "value": "parseusbs before 1.9 contains an OS command injection vulnerability where the volume listing path argument (-v flag) is passed unsanitized into an os.popen() shell command with ls, allowing arbitrary command injection via crafted volume path arguments containing shell metacharacters. An attacker can provide a crafted volume path via the -v flag that injects arbitrary commands during volume content enumeration."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-78", "description": "Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')"}]}], "providerMetadata": {"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "shortName": "VulnCheck", "dateUpdated": "2026-05-08T14:07:34.972Z"}}}, "cveMetadata": {"cveId": "CVE-2026-40030", "state": "PUBLISHED", "dateUpdated": "2026-05-08T14:07:34.972Z", "dateReserved": "2026-04-08T13:36:50.661Z", "assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "datePublished": "2026-04-08T21:35:25.533Z", "assignerShortName": "VulnCheck"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:khyrenz:parseusbs:*:*:*:*:*:*:*:*", "matchCriteriaId": "7F7B9F1A-2137-42B6-8E28-88D4790F4892", "versionEndExcluding": "1.9", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "parseusbs before 1.9 contains an OS command injection vulnerability where the volume listing path argument (-v flag) is passed unsanitized into an os.popen() shell command with ls, allowing arbitrary command injection via crafted volume path arguments containing shell metacharacters. An attacker can provide a crafted volume path via the -v flag that injects arbitrary commands during volume content enumeration."}], "id": "CVE-2026-40030", "lastModified": "2026-04-13T20:27:37.820", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 5.9, "source": "disclosure@vulncheck.com", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "LOCAL", "availabilityRequirement": "NOT_DEFINED", "baseScore": 8.4, "baseSeverity": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "ACTIVE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "disclosure@vulncheck.com", "type": "Secondary"}]}, "published": "2026-04-08T22:16:23.483", "references": [{"source": "disclosure@vulncheck.com", "tags": ["Patch"], "url": "https://github.com/khyrenz/parseusbs/commit/99f05996494e7e41ea0c7e13145ba20eb793e46b"}, {"source": "disclosure@vulncheck.com", "tags": ["Issue Tracking"], "url": "https://github.com/khyrenz/parseusbs/pull/10"}, {"source": "disclosure@vulncheck.com", "tags": ["Third Party Advisory"], "url": "https://mobasi.ai/sentinel"}, {"source": "disclosure@vulncheck.com", "tags": ["Third Party Advisory"], "url": "https://www.vulncheck.com/advisories/parseusbs-command-injection-via-volume-path-argument"}], "sourceIdentifier": "disclosure@vulncheck.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-78"}], "source": "disclosure@vulncheck.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,1.9)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "generic", "value": "1.9"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "code_commit", "value": "99f05996494e7e41ea0c7e13145ba20eb793e46b"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "parseusbs", "source": "cna", "vendor": "khyrenz"}, "product": "parseusbs", "vendor": "khyrenz"}], "analysis": {"en": {"generated_at": "2026-04-13T21:37:31.996998+00:00", "value": {"mitigation_remediation": ["Upgrade to parseusbs version 1.9 or later. If an upgrade is not immediately possible, avoid using the -v flag with untrusted input or manually edit the script to sanitize the volume path argument before passing it to os.popen(). Restrict the execution privileges of parseusbs and monitor for anomalous command usage."], "summary": {"action": "Immediate Patch", "impact": "arbitrary command execution"}, "threat_synthesis": {"affected_systems": "Affected systems are installations of parseusbs by the vendor khyrenz. Any instance of the tool with a major version lower than 1.9 is vulnerable. This includes the open-source distribution on GitHub and any downstream deployments that have not applied the patch in commit 99f05996494e7e41ea0c7e13145ba20eb793e46b or merged pull request 10.", "description_and_impact": "The vulnerability exists in parseusbs versions prior to 1.9. The tool accepts a volume path argument via the -v flag, which is directly inserted into an os.popen() shell command that runs ls. Because the input is not sanitized, an attacker can insert shell metacharacters to execute arbitrary commands during the enumeration process. This allows the attacker to run any shell command with the privileges of the user running parseusbs, effectively achieving remote code execution or elevated privilege exploitation if the tool is run as root.", "risk_and_exploitability": "The CVSS base score of 8.4 indicates high severity. EPSS is under 1%, and the vulnerability is not listed in the CISA KEV catalog, suggesting a low likelihood of widespread exploitation at present. The attack vector relies on supplying a crafted -v argument, which implies the attacker needs the ability to invoke parseusbs, typically a local or user\u2011level adversary. If the tool is run with elevated privileges, arbitrary command execution could lead to full system compromise. Therefore organizations should treat this as a high\u2011risk issue while the exploit probability remains modest."}}}}, "created": "2026-04-09T08:16:26.592292+00:00", "updated": "2026-04-14T16:37:00.250521+00:00", "vendors": ["khyrenz", "khyrenz$PRODUCT$parseusbs"]}