{"id":"CVE-2019-12761","details":"A code injection issue was discovered in PyXDG before 0.26 via crafted Python code in a Category element of a Menu XML document in a .menu file. XDG_CONFIG_DIRS must be set up to trigger xdg.Menu.parse parsing within the directory containing this file. This is due to a lack of sanitization in xdg/Menu.py before an eval call.","aliases":["GHSA-r6v3-hpxj-r8rv","PYSEC-2019-199","SNYK-PYTHON-PYXDG-174562"],"modified":"2026-05-18T17:42:09.717447Z","published":"2019-06-06T19:29:00.533Z","related":["SUSE-SU-2022:2997-1"],"references":[{"type":"WEB","url":"https://lists.debian.org/debian-lts-announce/2019/06/msg00006.html"},{"type":"WEB","url":"https://lists.debian.org/debian-lts-announce/2021/08/msg00003.html"},{"type":"ADVISORY","url":"https://snyk.io/vuln/SNYK-PYTHON-PYXDG-174562"},{"type":"EVIDENCE","url":"https://gist.github.com/dhondta/b45cd41f4186110a354dc7272916feba"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://gitlab.freedesktop.org/xdg/pyxdg","events":[{"introduced":"0"},{"fixed":"7db14dcf4c4305c3859a2d9fcf9f5da2db328330"}],"database_specific":{"cpe":"cpe:2.3:a:python:pyxdg:*:*:*:*:*:*:*:*","source":"CPE_FIELD","extracted_events":[{"introduced":"0"},{"fixed":"0.26"}]}}],"versions":["rel-0.25","rel-0.24","rel-0.23","rel-0.22","rel-0.21","rel-0.20","rel-0.20rc1"],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2019-12761.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H"}]}