CVE-2021-26917
CVE-2021-26917 is a medium-severity vulnerability in Bitmessage Pybitmessage with a CVSS 3.x base score of 5.5. It is not currently listed as actively exploited by CISA, and its EPSS exploit-prediction score is low.
Key facts
- Severity: Medium (CVSS 3.x base score 5.5)
- CVSS v2: 2.1
- EPSS exploit prediction: 1% (42nd percentile)
- Actively exploited: Not listed in CISA KEV
- Affected product: Bitmessage Pybitmessage
- Published:
- Last modified:
Description
PyBitmessage through 0.6.3.2 allows attackers to write screen captures to Potentially Unwanted Directories via a crafted apinotifypath value. NOTE: the discoverer states "security mitigation may not be necessary as there is no evidence yet that these screen intercepts are actually transported away from the local host." NOTE: it is unclear whether there are any common use cases in which apinotifypath is controlled by an attacker
Frequently asked questions
- What is CVE-2021-26917?
- PyBitmessage through 0.6.3.2 allows attackers to write screen captures to Potentially Unwanted Directories via a crafted apinotifypath value. NOTE: the discoverer states "security mitigation may not be necessary as there is no evidence yet that these screen intercepts are actually transported away from the local host." NOTE: it is unclear whether there are any common use cases in which apinotifypath is controlled by an attacker
- How severe is CVE-2021-26917?
- CVE-2021-26917 has a CVSS 3.x base score of 5.5, rated medium severity. It is exploitable over local access with low attack complexity, requires low privileges and no user interaction. Impact on confidentiality is high, integrity none, and availability none.
- Is CVE-2021-26917 being actively exploited?
- It is not currently listed in CISA's KEV catalog. Its EPSS exploit-prediction score is 1% (42nd percentile), an estimate of the probability of exploitation in the next 30 days.
- What products are affected by CVE-2021-26917?
- CVE-2021-26917 affects Bitmessage Pybitmessage. See the affected-products list for the exact vulnerable versions.
- How do I fix CVE-2021-26917?
- Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround.
- When was CVE-2021-26917 published?
- CVE-2021-26917 was published on 2021-02-08 and last updated on 2026-06-17.
References
- https://attack.mitre.org/techniques/T1113/
- https://github.com/Bitmessage/PyBitmessage/blob/f381721bec31641002e2f240309600c4994855a7/src/api.py#L35-L37
- https://github.com/Bitmessage/PyBitmessage/releases
- https://poal.co/s/technology/290479
Affected products (1)
- cpe:2.3:a:bitmessage:pybitmessage:*:*:*:*:*:*:*:*
More vulnerabilities in Bitmessage Pybitmessage
- CVE-2018-1000070 — High (CVSS 8.8): Bitmessage PyBitmessage version v0.6.2 (and introduced in or after commit 8ce72d8d2d25973b7064b1cf76a6b0b3d62f0ba0)…