What is CVE-2026-40029?

CVE-2026-40029 is a high-severity vulnerability in Khyrenz Parseusbs, classified under OS Command Injection. CVSS score: 7.8/10. Published 2026-04-08.

How severe is CVE-2026-40029?

High severity. CVSS v3 base score is 7.8 out of 10.

RCE in Khyrenz Parseusbs

CVE-2026-40029

parseusbs before 1.9 contains an OS command injection vulnerability in parseUSBs.py where LNK file paths are passed unsanitized into an os.popen() shell command, allowing arbitrary command execution via crafted .lnk filenames containing sh…

Vulnerability class: Command Injection (OS Command Injection)

EPSS: 0.000 (8.0th percentile) — read the EPSS interpretation.

CVSS v3 metric

CVSS v3 base score 7.8 (High). Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H.

Affected products

Khyrenz Parseusbs — versions 99f05996494e7e41ea0c7e13145ba20eb793e46b, 1.9.0, 0

Weakness classification (CWE)

CWE-78 — OS Command Injection

References

Pull Request (product)
Patch Commit (patch)
Mobasi Sentinel Vulnerability Index (vendor-advisory)
VulnCheck Advisory: parseusbs < 1.9 Command Injection via Crafted LNK Filename (third-party-advisory)

Frequently asked questions

What is CVE-2026-40029?: CVE-2026-40029 is a high-severity vulnerability in Khyrenz Parseusbs, classified under OS Command Injection. CVSS score: 7.8/10. Published 2026-04-08.
How severe is CVE-2026-40029?: High severity. CVSS v3 base score is 7.8 out of 10.