PT-2026-39724 · Tookie · Tookie

·

CVE-2026-42866

·

Published

2026-05-11

·

Updated

2026-05-11

CVSS v4.0

6.7

Medium

VectorAV:L/AC:L/AT:N/PR:N/UI:A/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Name of the Vulnerable Software and Affected Versions Tookie versions prior to 4.1fix
Description An issue exists in the modules/modules.py file where the write txt(), write csv(), write json(), and scan file() helper functions open output files using the open(f"{user}.<ext>") method. The user variable, which is sourced from the -u CLI flag or a -U usernames file, is not sanitized. A username containing path-separator sequences such as .., /, ``, or an absolute path allows the tool to write scan output to any arbitrary path where the invoking user has write permissions.
Recommendations Update to version 4.1fix.

Exploit

Fix

Path traversal

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2026-42866
GHSA-RP68-WFV6-3CQ3

Affected Products

Tookie