CVE-2026-41526: In KDE KCoreAddons before 6.25, KShell::quoteArgs is intended to safely quote arguments so that they can be passed to a shell command. This parsing does not adequately handle metacharacters, leading to an escape from the shell. All applications relying on this method in a security-critical path to handle user input are affected and could be exploited. In particular, because sendInput() sends a string to a terminal, a control character such as \x01 can be used during injection.
Overview
- Severity
- Medium (CVSS 6.5)
- CVSS Vector
- CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:L
- Exploit Status
- Not Exploited
- Patch Tuesday
- 2026-Apr
- Released
- 2026-05-01
- Last Updated
- 2026-06-03
- EPSS Score
- 0.17% (percentile: 6.6%)
Affected Products (3)
Other
- 21293-17084
- 21294-17086
- 21403-17084
Revision History
- 2026-05-01: Information published.
- 2026-05-09: Information published.
- 2026-06-03: Information published.