cvedb.io
CVE-2026-41526
MEDIUM · CVSS 6.5
EPSS exploitation probability: 0%
Published 2026-04-28T08:16:01.647 · Last modified 2026-06-17T10:46:50.333

Summary

In KDE KCoreAddons before 6.25, KShell::quoteArgs is intended to safely quote arguments so that they can be passed to a shell command. This parsing does not adequately handle metacharacters, leading to an escape from the shell. All applications relying on this method in a security-critical path to handle user input are affected and could be exploited. In particular, because sendInput() sends a string to a terminal, a control character such as \x01 can be used during injection.

Affected products

kde — kcoreaddons

Does this affect you?

Add your gear to cvedb and we'll alert you only when kde ships something exploited.

Check my exposure →

References

This product uses data from the NVD API but is not endorsed or certified by the NVD. Informational only; not professional security advice.