
PEACH
Un cadre d’isolation des locataires
CVE-2026-48813 is an improper input neutralization vulnerability in flawfinder (a static analysis security tool) that enables Terminal/ANSI Escape Sequence Injection and XML/CSV Injection via malicious filenames or untrusted file contents. It affects all flawfinder versions prior to 2.0.20 (pip package). The vulnerability was initially reported by Dan Lenz and further investigated by project leader David A. Wheeler; the advisory was published on May 23, 2026, and added to the GitHub Advisory Database on June 26, 2026. The CVSS v3.1 base score is 0.0 (Low/None), as the formal scoring reflects no direct confidentiality, integrity, or availability impact to the host system itself (GitHub Advisory, Flawfinder Advisory).
The root cause is CWE-74 (Improper Neutralization of Special Elements in Output Used by a Downstream Component — 'Injection'): flawfinder does not sanitize untrusted input fields — including filenames, categories, and code context text — before incorporating them into terminal output or structured reports. For terminal output spoofing, a crafted filename containing ANSI escape sequences (e.g., \033[2J to clear the screen or \033[A to move the cursor) is passed directly to the terminal renderer, allowing an attacker to manipulate what a human reviewer sees. For CSV and XML injection, unsanitized fields are embedded into SonarQube XML output via output_sonar() or CSV reports, enabling injection of arbitrary XML attributes or corruption of CSV structure. Exploitation requires that flawfinder be run against a repository containing maliciously crafted filenames or file contents (GitHub Advisory, Flawfinder Advisory).
The primary impact is output manipulation rather than direct system compromise: an attacker who controls filenames or file contents in a scanned repository can spoof flawfinder's terminal output to hide critical security findings, making it falsely appear to a human reviewer that no vulnerabilities were detected. Additionally, CSV reports can be corrupted and arbitrary XML attributes can be injected into SonarQube outputs, potentially affecting downstream security tooling or CI/CD pipelines that consume these reports. There is no direct confidentiality, integrity, or availability impact to the underlying host system, but the integrity of the security review process itself is undermined (GitHub Advisory).
vuln\033[2Jclean.c where \033[2J clears the terminal screen) or file contents with XML-special characters designed to inject attributes into SonarQube output.--csv or SonarQube output options, the unsanitized filename or code context is embedded directly into the structured output, injecting arbitrary CSV fields or XML attributes that corrupt the report consumed by downstream tools (GitHub Advisory).\x1b[, \033[) in their filenames within a scanned repository.ESC[ or ^[ in text editors that display control characters) rather than plain text filenames.The vulnerability is fully patched in flawfinder version 2.0.20 (released 2026-05-16); all users should upgrade immediately using pip install --upgrade flawfinder. For GitHub Actions users, workflows should reference david-a-wheeler/flawfinder@2.0.20 or later. If an immediate upgrade is not possible, mitigations include: pre-scanning filenames for control characters before passing them to flawfinder; reviewing raw flawfinder output in a text editor that displays or strips escape sequences rather than a live terminal; and avoiding generation of SonarQube or CSV reports from untrusted repositories until the tool is updated (GitHub Advisory, Flawfinder Advisory).
The vulnerability was discovered and disclosed by the flawfinder project leader David A. Wheeler himself (after the initial filename injection issue was reported by Dan Lenz), reflecting responsible self-disclosure by the maintainer. No significant broader media coverage, researcher commentary, or notable community reactions beyond the official advisory have been identified at this time (GitHub Advisory).
Source: Ce rapport a été généré à l’aide de l’IA
Évaluation gratuite des vulnérabilités
Évaluez vos pratiques de sécurité cloud dans 9 domaines de sécurité pour évaluer votre niveau de risque et identifier les failles dans vos défenses.
Obtenez une démo personnalisée
"La meilleure expérience utilisateur que j’ai jamais vue, offre une visibilité totale sur les workloads cloud."
"Wiz fournit une interface unique pour voir ce qui se passe dans nos environnements cloud."
"Nous savons que si Wiz identifie quelque chose comme critique, c’est qu’il l’est réellement."