{"id":"CVE-2021-26917","details":"PyBitmessage through 0.6.3.2 allows attackers to write screen captures to Potentially Unwanted Directories via a crafted apinotifypath value. NOTE: the discoverer states \"security mitigation may not be necessary as there is no evidence yet that these screen intercepts are actually transported away from the local host.\" NOTE: it is unclear whether there are any common use cases in which apinotifypath is controlled by an attacker","modified":"2026-04-10T04:31:23.886231Z","published":"2021-02-08T23:15:11.973Z","references":[{"type":"ADVISORY","url":"https://attack.mitre.org/techniques/T1113/"},{"type":"ADVISORY","url":"https://github.com/Bitmessage/PyBitmessage/releases"},{"type":"FIX","url":"https://github.com/Bitmessage/PyBitmessage/blob/f381721bec31641002e2f240309600c4994855a7/src/api.py#L35-L37"},{"type":"EVIDENCE","url":"https://poal.co/s/technology/290479"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/bitmessage/pybitmessage","events":[{"introduced":"0"},{"last_affected":"634a49cd6d8fc2f52504586be4c4766340641b25"}],"database_specific":{"versions":[{"introduced":"0"},{"last_affected":"0.6.3.2"}]}}],"versions":["0.6.3.1","0.6.3.2","v0.3.5","v0.6.0","v0.6.2","v0.6.3"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2021-26917.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"}]}