Fabre

#1135178 kf6-kcoreaddons: CVE-2026-41526 #1135178

Package:: src:kf6-kcoreaddons

Source:: src:kf6-kcoreaddons

Submitter:: Salvatore Bonaccorso

Date:: 2026-06-27 03:17:02 UTC

Severity:: normal

Tags:

#1135178#5

Date:: 2026-04-28 20:08:06 UTC

From:

To:

Source: kf6-kcoreaddons
Version: 6.23.0-2
Severity: grave
Tags: security upstream
X-Debbugs-Cc: carnil@debian.org, Debian Security Team <team@security.debian.org>
Control: found -1 6.13.0-1
Control: clone -1 -2
Control: reassign -2 src:kcoreaddons 5.116.0-1
Control: found -2 5.103.0-1
Control: retitle -2 kcoreaddons: CVE-2026-41526

Hi,

The following vulnerability was published for kf6-kcoreaddons.

CVE-2026-41526[0]:
| In KDE KCoreAddons before 6.25, KShell::quoteArgs is intended to
| safely quote arguments so that they can be passed to a shell
| command. This parsing does not adequately handle metacharacters,
| leading to an escape from the shell. All applications relying on
| this method in a security-critical path to handle user input are
| affected and could be exploited. In particular, because sendInput()
| sends a string to a terminal, a control character such as \x01 can
| be used during injection.


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2026-41526
https://www.cve.org/CVERecord?id=CVE-2026-41526
[1] https://invent.kde.org/frameworks/kcoreaddons/-/commit/447250fb061d6a866eeef9ae3c21b627244b198a
[2] https://kde.org/info/security/advisory-20260427-1.txt

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore

#1135178 kf6-kcoreaddons: CVE-2026-41526 #1135178

Just Reply to ...

Reply to submitter ...

Send control command (Silently)

Set Architecture Tags (Silently)