PT-2026-39724 · Alfredredbird · Tookie-Osint
Published
2026-05-11
·
Updated
2026-05-11
·
CVE-2026-42866
CVSS v4.0
6.7
Medium
| Vector | AV:L/AC:L/AT:N/PR:N/UI:A/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X |
Tookie is a advanced OSINT information gathering tool. Prior to 4.1fix, modules/modules.py's write txt, write csv, write json, and (commented-but-shipping) scan file helpers open their output as open(f"{user}."), where user comes unsanitized from the -u CLI flag or any line of a -U usernames file. A username that contains path-separator sequences (.., /, , or an absolute path) causes tookie-osint to write the scan output to an arbitrary path the invoking user has write permission for. This vulnerability is fixed in 4.1fix.
Exploit
Fix
Path traversal
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Tookie-Osint