GHSA-4c3c-r6p8-c863: Flawfinder output manipulation via untrusted filenames and source text
flawfinder versions prior to 2.0.20 contain an improper input neutralization vulnerability that allows output manipulation via untrusted filenames and source text. This includes Terminal/ANSI Escape Sequence Injection, which can spoof terminal output to hide scan results, and CSV/XML injection that can corrupt structured reports such as SonarQube outputs. The vulnerability affects users who scan repositories with malicious filenames or contents. The issue is fully patched in flawfinder version 2.0.20.
AI Analysis
Technical Summary
This vulnerability in flawfinder (CVE-2026-48813) arises from improper neutralization of input used in output generation. Malicious filenames containing ANSI escape sequences can manipulate terminal output, potentially hiding critical scan results from human reviewers. Additionally, untrusted fields like filenames, categories, or code context are not sanitized when generating CSV or XML reports, enabling injection of arbitrary XML attributes or corruption of CSV formats. The flawfinder project leader and contributors identified these issues, which are fixed in version 2.0.20.
Potential Impact
An attacker supplying malicious filenames or source text to flawfinder can manipulate the tool's output. Terminal output spoofing may mislead users by hiding security issues in scan results. CSV and XML injection can corrupt structured reports, potentially affecting downstream tools consuming these reports. There is no direct impact on confidentiality, integrity, or availability of flawfinder itself, but the reliability of scan results and reports is compromised.
Mitigation Recommendations
A patch is available in flawfinder version 2.0.20, released on 2026-05-16. Users should upgrade to this version or later immediately. If upgrading is not possible, users can mitigate risk by pre-scanning filenames to exclude control characters or ANSI escape sequences, inspecting raw output in editors that reveal or strip escape sequences, and avoiding generating SonarQube or CSV reports from untrusted repositories until patched.
GHSA-4c3c-r6p8-c863: Flawfinder output manipulation via untrusted filenames and source text
Description
flawfinder versions prior to 2.0.20 contain an improper input neutralization vulnerability that allows output manipulation via untrusted filenames and source text. This includes Terminal/ANSI Escape Sequence Injection, which can spoof terminal output to hide scan results, and CSV/XML injection that can corrupt structured reports such as SonarQube outputs. The vulnerability affects users who scan repositories with malicious filenames or contents. The issue is fully patched in flawfinder version 2.0.20.
CVSS v3.1
Affected software
Run on your own infrastructure? Check whether these packages are installed with threat-finder — our free open-source scanner.
Weaknesses
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
This vulnerability in flawfinder (CVE-2026-48813) arises from improper neutralization of input used in output generation. Malicious filenames containing ANSI escape sequences can manipulate terminal output, potentially hiding critical scan results from human reviewers. Additionally, untrusted fields like filenames, categories, or code context are not sanitized when generating CSV or XML reports, enabling injection of arbitrary XML attributes or corruption of CSV formats. The flawfinder project leader and contributors identified these issues, which are fixed in version 2.0.20.
Potential Impact
An attacker supplying malicious filenames or source text to flawfinder can manipulate the tool's output. Terminal output spoofing may mislead users by hiding security issues in scan results. CSV and XML injection can corrupt structured reports, potentially affecting downstream tools consuming these reports. There is no direct impact on confidentiality, integrity, or availability of flawfinder itself, but the reliability of scan results and reports is compromised.
Mitigation Recommendations
A patch is available in flawfinder version 2.0.20, released on 2026-05-16. Users should upgrade to this version or later immediately. If upgrading is not possible, users can mitigate risk by pre-scanning filenames to exclude control characters or ANSI escape sequences, inspecting raw output in editors that reveal or strip escape sequences, and avoiding generating SonarQube or CSV reports from untrusted repositories until patched.
Technical Details
- Gcve Source
- db.gcve.eu
- Osv Id
- GHSA-4c3c-r6p8-c863
- Osv Schema Version
- 1.4.0
- Aliases
- ["CVE-2026-48813"]
- Ecosystems
- ["PyPI"]
- Database Specific Severity
- LOW
- Cvss Version
- 3.1
Threat ID: 6a3ef76827e9c79719fee7ab
Added to database: 06/26/2026, 22:04:24 UTC
Last enriched: 06/26/2026, 22:07:24 UTC
Last updated: 06/26/2026, 22:07:24 UTC
Views: 2
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.