CVE-2026-21439

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2026-21439

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-21439.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2026-21439

Aliases

GHSA-wjpc-4f29-83h3

Published

2026-01-05T23:51:35.670Z

Modified

2026-03-14T12:46:55.263307Z

Severity

2.0 (Low) CVSS_V4 - CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P CVSS Calculator

Summary

badkeys vulnerable to ASCII control character injection on console via malformed input

Details

badkeys is a tool and library for checking cryptographic public keys for known vulnerabilities. In versions 0.0.15 and below, an attacker may inject content with ASCII control characters like vertical tabs, ANSI escape sequences, etc., that can create misleading output of the badkeys command-line tool. This impacts scanning DKIM keys (both --dkim and --dkim-dns), SSH keys (--ssh-lines mode), and filenames in various modes. This issue is fixed in version 0.0.16.

Database specific

{
    "cna_assigner": "GitHub_M",
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/21xxx/CVE-2026-21439.json",
    "cwe_ids": [
        "CWE-150"
    ]
}

References

Affected packages

Git / github.com/badkeys/badkeys

Affected ranges

Type: GIT
Repo: https://github.com/badkeys/badkeys
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

e14ecc2f18fbb9bfb0b8b8e170dc10ae55a01212

Affected versions

v0.*

v0.0.1

v0.0.10

v0.0.11

v0.0.12

v0.0.13

v0.0.14

v0.0.15

v0.0.2

v0.0.3

v0.0.4

v0.0.5

v0.0.6

v0.0.7

v0.0.8

v0.0.9

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-21439.json"