Zero Day MonitorZDM

← Back to list

6.5

CVE-2026-41525PATCHED

kde · dolphin

CVE-2026-41525: KDE Dolphin before 25.12.3 allows applications in a Flatpak (or with AppArmor confinement) to open folders outside of th

Description

KDE Dolphin before 25.12.3 allows applications in a Flatpak (or with AppArmor confinement) to open folders outside of the application sandbox without additional scrutiny. Dolphin's implementation of the FileManager1 protocol allows the path given to be any type of file, including scripts or executables. (By default, Dolphin will then prompt the user to determine if they want to launch a script or executable; however, the intended behavior is to block the attempted action, not present a consent prompt.)

Affected Products

Vendor	Product	Versions
kde	dolphin	0

Also Affects

Downstream vendors/products affected by this vulnerability

Vendor	Product	Source	Confidence
open source	kde	cert_advisory	90%

References

Related News (2 articles)

Tier B

BSI Advisories13d ago

[NEU] [mittel] KDE (Dolphin und KShell): Mehrere Schwachstellen ermöglichen Codeausführung

→ No new info (linked only)

Tier C

VulDB13d ago

CVE-2026-41525 | KDE Dolphin up to 25.12.2 FileManager1 Protocol resource transfer

→ No new info (linked only)

CVSS 3.16.5 MEDIUM

VectorCVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:L

CISA KEV❌ No

Actively exploited❌ No

Patch available

25.12.3

CWECWE-669

PublishedApr 28, 2026

Last enriched13d agov2

Trending Score8

Source articles2

Independent2

Info Completeness9/14

Missing: epss, kev, exploit, iocs, mitre_attack

Community Vote

0 upvotes0 downvotes

No votes yet

Related CVEs (5)

Multiple vulnerabilities in KDE Kdenlive and Okular allowing remote code execution, security bypass, data manipulation, information disclosure, and denial of service

MEDIUMCVE-2026-45184

CVE-2026-45184: Kdenlive before 26.04.1 allows dangerous proxy parameters when an attacker-controlled project file is used.

MEDIUMCVE-2026-41526

CVE-2026-41526: In KDE KCoreAddons before 6.25, KShell::quoteArgs is intended to safely quote arguments so that they can be passed to a

MEDIUMCVE-2026-42095EXP

CVE-2026-42095: bookserver in KDE Arianna before 26.04.1 allows attackers to read files over a socket connection by guessing a URL.

MEDIUMCVE-2026-41527

CVE-2026-41527: KDE Kleopatra before 26.08.0 on Windows allows local users to obtain the privileges of a Kleopatra user, because there i

Pin to Dashboard

Verification

State: unverified

Confidence: 0%

Vulnerability Timeline

CVE Published

Apr 28, 2026

Discovered by ZDM

Apr 28, 2026

Updated: affectedVersions

Apr 28, 2026

Patch Available

Apr 28, 2026

Version History

v2

Last enriched 13d ago

v2Tier C13d ago

Updated affected versions to include 25.12.2 and corrected exploit availability to false.

affectedVersions

via VulDB

v113d ago

Initial creation