彙總 KDE 相關全部產品的 CVE 與安全漏洞情報,包括 CVSS、EPSS、公開時間與漏洞情報資料。
已披露問題常與 輸入驗證問題、緩衝區溢位與跨站腳本 相關,可能在 生產負載與軟體部署 場景中帶來 異常行為與應用程式崩潰 等暴露風險。
相關漏洞資料主要來源於公開漏洞披露與安全公告,可用於評估歷史漏洞暴露面與修補優先順序。
| CVE | 摘要 | 來源 | 最高 CVSS | EPSS % | 公開時間 | 更新時間 |
|---|---|---|---|---|---|---|
| CVE-2026-41526 | In KDE KCoreAddons before 6.25, KShell::quoteArgs is intended to safely quote arguments so that they can be passed to a shell command. This parsing does not adequately handle metacharacters, leading to an escape from the shell. All applications relying on this method in a security-critical path to handle user input are affected and could be exploited. In particular, because sendInput() sends a string to a terminal, a control character such as \x01 can be used during injection. | [email protected] | 6.5 | 0.17% | 2026-04-28 | 2026-06-17 |
| CVE-2025-69412 | KDE messagelib before 25.11.90 ignores SSL errors for threatMatches:find in the Google Safe Browsing Lookup API (aka phishing API), which might allow spoofing of threat data. NOTE: this Lookup API is not contacted in the messagelib default configuration. | [email protected] | 3.4 | 0.24% | 2025-12-31 | 2026-06-17 |
| CVE-2025-32901 | In KDE Connect before 1.33.0 on Android, malicious device IDs (sent via broadcast UDP) could cause an application crash. | [email protected] | 4.3 | 0.16% | 2025-12-05 | 2026-06-17 |
| CVE-2025-32899 | In KDE Connect before 1.33.0 on Android, a packet can be crafted that causes two paired devices to unpair. Specifically, it is an invalid discovery packet sent over broadcast UDP. | [email protected] | 4.3 | 0.16% | 2025-12-05 | 2026-06-17 |
| CVE-2024-57966 | libarchiveplugin.cpp in KDE ark before 24.12.0 can extract to an absolute path from an archive. | [email protected] | 5.0 | 0.26% | 2025-02-03 | 2026-06-17 |
| CVE-2024-36041 | KSmserver in KDE Plasma Workspace (aka plasma-workspace) before 5.27.11.1 and 6.x before 6.0.5.1 allows connections via ICE based purely on the host, i.e., all local connections are accepted. This allows another user on the same machine to gain access to the session manager, e.g., use the session-restore feature to execute arbitrary code as the victim (on the next boot) via earlier use of the /tmp directory. | [email protected] | 7.8 | 0.29% | 2024-07-04 | 2026-06-17 |
| CVE-2024-1433 | A vulnerability, which was classified as problematic, was found in KDE Plasma Workspace up to 5.93.0. This affects the function EventPluginsManager::enabledPlugins of the file components/calendar/eventpluginsmanager.cpp of the component Theme File Handler. The manipulation of the argument pluginId leads to path traversal. It is possible to initiate the attack remotely. The complexity of an attack is rather high. The exploitability is told to be difficult. The patch is named 6cdf42916369ebf4ad5bd | [email protected] | 3.1 | 0.78% | 2024-02-11 | 2026-06-17 |
| CVE-2022-24986 | KDE KCron through 21.12.2 uses a temporary file in /tmp when saving, but reuses the filename during an editing session. Thus, someone watching it be created the first time could potentially intercept the file the following time, enabling that person to run unauthorized commands. | [email protected] | 7.8 | 0.24% | 2022-02-26 | 2026-06-17 |
| CVE-2022-23853 | The LSP (Language Server Protocol) plugin in KDE Kate before 21.12.2 and KTextEditor before 5.91.0 tries to execute the associated LSP server binary when opening a file of a given type. If this binary is absent from the PATH, it will try running the LSP server binary in the directory of the file that was just opened (due to a misunderstanding of the QProcess API, that was never intended). This can be an untrusted directory. | [email protected] | 7.8 | 0.88% | 2022-02-11 | 2026-06-17 |
| CVE-2021-38373 | In KDE KMail 19.12.3 (aka 5.13.3), the SMTP STARTTLS option is not honored (and cleartext messages are sent) unless "Server requires authentication" is checked. | [email protected] | 5.3 | 0.53% | 2021-08-10 | 2026-06-17 |
| CVE-2021-38372 | In KDE Trojita 0.7, man-in-the-middle attackers can create new folders because untagged responses from an IMAP server are accepted before STARTTLS. | [email protected] | 3.7 | 0.79% | 2021-08-10 | 2026-06-17 |
| CVE-2021-36083 | KDE KImageFormats 5.70.0 through 5.81.0 has a stack-based buffer overflow in XCFImageFormat::loadTileRLE. | [email protected] | 5.5 | 0.94% | 2021-06-30 | 2026-06-16 |
| CVE-2021-31855 | KDE Messagelib through 5.17.0 reveals cleartext of encrypted messages in some situations. Deleting an attachment of a decrypted encrypted message stored on a remote server (e.g., an IMAP server) causes KMail to upload the decrypted content of the message to the remote server. With a crafted message, a user could be tricked into decrypting an encrypted message and then deleting an attachment attached to this message. If the attacker has access to the messages stored on the email server, then the | [email protected] | 6.5 | 0.60% | 2021-06-02 | 2026-06-16 |
| CVE-2021-28117 | libdiscover/backends/KNSBackend/KNSResource.cpp in KDE Discover before 5.21.3 automatically creates links to potentially dangerous URLs (that are neither https:// nor http://) based on the content of the store.kde.org web site. (5.18.7 is also a fixed version.) | [email protected] | 7.5 | 1.56% | 2021-03-20 | 2026-06-16 |
| CVE-2020-27187 | An issue was discovered in KDE Partition Manager 4.1.0 before 4.2.0. The kpmcore_externalcommand helper contains a logic flaw in which the service invoking D-Bus is not properly checked. An attacker on the local machine can replace /etc/fstab, and execute mount and other partitioning related commands, while KDE Partition Manager is running. the mount command can then be used to gain full root privileges. | [email protected] | 7.8 | 0.42% | 2020-10-26 | 2026-06-16 |
| CVE-2020-26164 | In kdeconnect-kde (aka KDE Connect) before 20.08.2, an attacker on the local network could send crafted packets that trigger use of large amounts of CPU, memory, or network connection slots, aka a Denial of Service attack. | [email protected] | 5.5 | 0.54% | 2020-10-07 | 2026-06-16 |
| CVE-2020-24654 | In KDE Ark before 20.08.1, a crafted TAR archive with symlinks can install files outside the extraction directory, as demonstrated by a write operation to a user's home directory. | [email protected] | 3.3 | 1.50% | 2020-09-02 | 2026-06-16 |
| CVE-2020-16116 | In kerfuffle/jobs.cpp in KDE Ark before 20.08.0, a crafted archive can install files outside the extraction directory via ../ directory traversal. | [email protected] | 3.3 | 1.71% | 2020-08-03 | 2026-06-16 |
| CVE-2020-15954 | KDE KMail 19.12.3 (aka 5.13.3) engages in unencrypted POP3 communication during times when the UI indicates that encryption is in use. | [email protected] | 6.5 | 0.65% | 2020-07-27 | 2026-06-16 |
| CVE-2020-13152 | A remote user can create a specially crafted M3U file, media playlist file that when loaded by the target user, will trigger a memory leak, whereby Amarok 2.8.0 continue to waste resources over time, eventually allows attackers to cause a denial of service. | [email protected] | 5.5 | 3.43% | 2020-05-20 | 2026-06-16 |