CVE-2026-28211

Name of the Vulnerable Software and Affected Versions NVDA Dev & Test Toolbox versions 2.0 through 8.0

Description A security issue exists in the Log Reader feature of the NVDA Dev & Test Toolbox add-on. Maliciously crafted log files can lead to arbitrary code execution when a user reads them using log reader commands. The log reading command processes speech log entries in an unsafe manner, evaluating Python expressions embedded within the log. An attacker can exploit this by convincing a user to open a malicious log file and analyze it with log reading commands, potentially executing attacker-controlled code with the privileges of the current user. This issue does not require elevated privileges and relies on user interaction, specifically opening the log file.

Recommendations Versions prior to 9.0: Avoid using log reading commands. Versions prior to 9.0: As a workaround, avoid commands to move to the next or previous log message. Versions prior to 9.0: For increased security, disable gestures in the input gesture dialog.