#1135179 kcoreaddons: CVE-2026-41526

Package:
src:kcoreaddons
Source:
src:kcoreaddons
Submitter:
Salvatore Bonaccorso
Date:
2026-04-28 20:11:03 UTC
Severity:
normal
Tags:
#1135179#5
Date:
2026-04-28 20:08:06 UTC
From:
To:
Source: kf6-kcoreaddons
Version: 6.23.0-2
Severity: grave
Tags: security upstream
X-Debbugs-Cc: carnil@debian.org, Debian Security Team <team@security.debian.org>
Control: found -1 6.13.0-1
Control: clone -1 -2
Control: reassign -2 src:kcoreaddons 5.116.0-1
Control: found -2 5.103.0-1
Control: retitle -2 kcoreaddons: CVE-2026-41526

Hi,

The following vulnerability was published for kf6-kcoreaddons.

CVE-2026-41526[0]:
| In KDE KCoreAddons before 6.25, KShell::quoteArgs is intended to
| safely quote arguments so that they can be passed to a shell
| command. This parsing does not adequately handle metacharacters,
| leading to an escape from the shell. All applications relying on
| this method in a security-critical path to handle user input are
| affected and could be exploited. In particular, because sendInput()
| sends a string to a terminal, a control character such as \x01 can
| be used during injection.


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2026-41526
https://www.cve.org/CVERecord?id=CVE-2026-41526
[1] https://invent.kde.org/frameworks/kcoreaddons/-/commit/447250fb061d6a866eeef9ae3c21b627244b198a
[2] https://kde.org/info/security/advisory-20260427-1.txt

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore