debian · CVE-2026-41526

Quick triage

Priority: not yet assigned Published: Updated: Tue, 14 Jul 2026 01:00:16 GMT

View at Official debian advisory, NVD, CVE.org · CVE detail

Freshness: upstream tracker timestamp is available; use API updated time as primary recency signal.

Tracker summary

CVE-2026-41526 not yet assigned priority: Debian including 2 source packages (kcoreaddons, kf6-kcoreaddons), 8 status rows across 5 suites (bookworm, bullseye, forky, sid, trixie): open 4, resolved 4.

Description:

In KDE KCoreAddons before 6.25, KShell::quoteArgs is intended to safely quote arguments so that they can be passed to a shell command. This parsing does not adequately handle metacharacters, leading to an escape from the shell. All applications relying on this method in a security-critical path to handle user input are affected and could be exploited. In particular, because sendInput() sends a string to a terminal, a control character such as \x01 can be used during injection.

cvelogic Threat Intelligence