CVE-2026-21439
badkeys vulnerable to ASCII control character injection on console via malformed input
Description
### Impact An attacker may inject content with ASCII control characters like vertical tabs, ANSI escape sequences, etc., that can create misleading output of the `badkeys` command-line tool. This impacts scanning DKIM keys (both `--dkim` and `--dkim-dns`), SSH keys (`--ssh-lines` mode), and filenames in various modes. ### Patches This has been fixed with the following commits: https://github.com/badkeys/badkeys/commit/de631f69f040974bb5fb442cdab9a1d904c64087 https://github.com/badkeys/badkeys/commit/635a2f3b1b50a895d8b09ec8629efc06189f349a All users should upgrade `badkeys` to version 0.0.16. ### Resources https://github.com/badkeys/badkeys/issues/40
How to fix CVE-2026-21439
To remediate CVE-2026-21439, upgrade the affected package to a fixed version below.
- —upgrade to 0.0.16 or later
Is CVE-2026-21439 being exploited?
Low — EPSS is 0.0%, meaning exploitation activity has not been observed at scale.
Affected packages (1)
- from 0, < 0.0.16
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 4.0 | — | CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P |