Zero Day MonitorZDM

← Back to list

6.5

CVE-2026-41526PATCHED

kde · kcoreaddons

CVE-2026-41526: In KDE KCoreAddons before 6.25, KShell::quoteArgs is intended to safely quote arguments so that they can be passed to a

Description

In KDE KCoreAddons before 6.25, KShell::quoteArgs is intended to safely quote arguments so that they can be passed to a shell command. This parsing does not adequately handle metacharacters, leading to an escape from the shell. All applications relying on this method in a security-critical path to handle user input are affected and could be exploited. In particular, because sendInput() sends a string to a terminal, a control character such as \x01 can be used during injection.

Affected Products

Vendor	Product	Versions
kde	kcoreaddons	0

Also Affects

Downstream vendors/products affected by this vulnerability

Vendor	Product	Source	Confidence
open source	kde	cert_advisory	90%

References

Related News (3 articles)

Tier A

Microsoft MSRC10d ago

→ No new info (linked only)

Tier B

BSI Advisories13d ago

[NEU] [mittel] KDE (Dolphin und KShell): Mehrere Schwachstellen ermöglichen Codeausführung

→ No new info (linked only)

Tier C

VulDB13d ago

CVE-2026-41526 | KDE KCoreAddons up to 6.24 sendInput control sequence

→ No new info (linked only)

CVSS 3.16.5 MEDIUM

VectorCVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:L

CISA KEV❌ No

Actively exploited❌ No

Patch available

6.25

CWECWE-150

PublishedApr 28, 2026

Last enriched13d agov2

Trending Score11

Source articles3

Independent3

Info Completeness9/14

Missing: epss, kev, exploit, iocs, mitre_attack

Community Vote

0 upvotes0 downvotes

No votes yet

Related CVEs (5)

Multiple vulnerabilities in KDE Kdenlive and Okular allowing remote code execution, security bypass, data manipulation, information disclosure, and denial of service

MEDIUMCVE-2026-45184

CVE-2026-45184: Kdenlive before 26.04.1 allows dangerous proxy parameters when an attacker-controlled project file is used.

MEDIUMCVE-2026-41525

CVE-2026-41525: KDE Dolphin before 25.12.3 allows applications in a Flatpak (or with AppArmor confinement) to open folders outside of th

MEDIUMCVE-2026-42095EXP

CVE-2026-42095: bookserver in KDE Arianna before 26.04.1 allows attackers to read files over a socket connection by guessing a URL.

MEDIUMCVE-2026-41527

CVE-2026-41527: KDE Kleopatra before 26.08.0 on Windows allows local users to obtain the privileges of a Kleopatra user, because there i

Pin to Dashboard

Verification

State: unverified

Confidence: 0%

Vulnerability Timeline

CVE Published

Apr 28, 2026

Discovered by ZDM

Apr 28, 2026

Updated: affectedVersions, severity

Apr 28, 2026

Patch Available

Apr 28, 2026

Version History

v2

Last enriched 13d ago

v2Tier C13d ago

Updated affected versions to include 6.24, changed severity to CRITICAL, and corrected exploit availability to false.

affectedVersionsseverity

via VulDB

v113d ago

Initial creation