CVE-2026-28211
Published: 26 February 2026
Summary
CVE-2026-28211 is a high-severity Improper Neutralization of Special Elements in Data Query Logic (CWE-943) vulnerability. Its CVSS base score is 7.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Malicious File (T1204.002); ranked at the 1.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly addresses the vulnerability by requiring timely remediation through updating to version 9.0, which fixes the unsafe evaluation of Python expressions in log files.
Requires validation of log file inputs to prevent processing and execution of maliciously embedded Python expressions during log reading commands.
Restricts user installation of unapproved add-ons like the vulnerable NVDA Dev & Test Toolbox, preventing deployment of systems with this flaw.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Vulnerability enables arbitrary Python code execution via evaluation of expressions in a user-opened malicious log file, directly mapping to malicious file delivery (T1204.002) and Python interpreter abuse (T1059.006).
NVD Description
The NVDA Dev & Test Toolbox is an NVDA add-on for gathering tools to help NVDA development and testing. A vulnerability exists in versions 2.0 through 8.0 in the Log Reader feature of this add-on. A maliciously crafted log file…
more
can lead to arbitrary code execution when a user reads it with log reader commands. The log reading command process speech log entries in an unsafe manner. Python expressions embedded in the log may be evaluated when when speech entries are read with log reading commands. An attacker can exploit this by convincing a user to open a malicious crafted log file and to analyze it using the log reading commands. When the log is read, attacker-controlled code may execute with the privileges of the current user. This issue does not require elevated privileges and relies solely on user interaction (opening the log file). Version 9.0 contains a fix for the issue. As a workaround, avoid using log reading commands, or at least, commands to move to next/previous log message (any message or commands for each type of message). For more security, one may disable their gestures in the input gesture dialog.
Deeper analysisAI
CVE-2026-28211 is a vulnerability in the Log Reader feature of the NVDA Dev & Test Toolbox, an add-on for the NVDA screen reader used in development and testing. Affecting versions 2.0 through 8.0, the issue stems from unsafe processing of speech log entries, where Python expressions embedded in a maliciously crafted log file can be evaluated during log reading commands, leading to arbitrary code execution.
An attacker can exploit this vulnerability locally by convincing a user to open a specially crafted log file and then use log reading commands, such as those to navigate to the next or previous log message. No elevated privileges are required, and exploitation relies solely on user interaction. Successful exploitation allows the attacker-controlled code to execute with the privileges of the current user, potentially resulting in high confidentiality, integrity, and availability impacts, as reflected in the CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).
The vulnerability is fixed in version 9.0 of the NVDA Dev & Test Toolbox. Advisories recommend avoiding log reading commands, particularly those for moving to the next or previous message of any type, as a workaround. For added security, users can disable the associated gestures in the input gesture dialog. Relevant resources include the fix commit, release notes for v9.0, and the GitHub security advisory.
Details
- CWE(s)