CVE-2026-41526
Analyzed Analyzed - Analysis Complete
Shell Injection Vulnerability in KDE KCoreAddons KShell::quoteArgs

Publication date: 2026-04-28

Last updated on: 2026-05-05

Assigner: MITRE

Description
In KDE KCoreAddons before 6.25, KShell::quoteArgs is intended to safely quote arguments so that they can be passed to a shell command. This parsing does not adequately handle metacharacters, leading to an escape from the shell. All applications relying on this method in a security-critical path to handle user input are affected and could be exploited. In particular, because sendInput() sends a string to a terminal, a control character such as \x01 can be used during injection.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-28
Last Modified
2026-05-05
Generated
2026-06-16
AI Q&A
2026-04-28
EPSS Evaluated
2026-06-15
NVD
CVE-2026-41526
EUVD
EUVD-2026-26004
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
kde kcoreaddons to 6.25.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-150 The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as escape, meta, or control character sequences when they are sent to a downstream component.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

The vulnerability in KDE KCoreAddons before version 6.25 involves the function KShell::quoteArgs, which is designed to safely quote arguments for shell commands. However, it does not properly handle certain metacharacters, allowing an attacker to escape the intended quoting.

Specifically, when applications use sendInput() to send strings to a terminal, control characters like \x01 can be injected. This breaks out of the single-quoted context that KShell::quoteArgs assumes is safe, enabling an attacker to inject additional shell commands.

This means that any KDE application relying on this method in security-critical paths to handle user input, such as Dolphin and Kate with embedded terminals, can be exploited to execute arbitrary commands.

Impact Analysis

This vulnerability can lead to command injection attacks where an attacker crafts input that, when processed by affected KDE applications, executes arbitrary shell commands with the privileges of the user running the application.

If a user pastes or opens manipulated content in applications like Dolphin or Kate that use the vulnerable functions, the attacker can run unintended commands, potentially compromising the user's system.

There is no available workaround, so the only mitigation is to update KCoreAddons to version 6.25 or later or apply the provided patch.

Detection Guidance

This vulnerability affects KDE applications that use the function sendInput() combined with KShell::quoteArg() to pass user input to shell commands, especially in embedded terminals such as those in Dolphin and Kate.

Detection involves monitoring for suspicious input containing control characters like \x01 that could break out of single-quoted contexts and inject shell metacharacters.

Since the vulnerability arises when user input is passed to the terminal via sendInput(), you can look for unusual or unexpected control characters in terminal input or logs.

No specific detection commands are provided in the resources, but you might consider using tools or scripts to scan for control characters in input streams or logs related to KDE applications using embedded terminals.

Mitigation Strategies

There is no workaround available for this vulnerability.

The immediate mitigation step is to update KCoreAddons to version 6.25 or later, where the issue is fixed.

Alternatively, you can apply the patch available at https://invent.kde.org/frameworks/kcoreaddons/-/commit/6153c9ae025fa570174bb4a143df38fa2f46606b.

Until the update or patch is applied, avoid using KDE applications that rely on sendInput() with untrusted user input in embedded terminals.

Compliance Impact

The vulnerability in KDE KCoreAddons allows attackers to inject arbitrary shell commands by exploiting inadequate handling of shell metacharacters in user input. This can lead to unauthorized command execution with the user's privileges.

Such unauthorized command execution could potentially lead to unauthorized access, data breaches, or manipulation of sensitive information, which may violate compliance requirements under standards like GDPR or HIPAA that mandate protection of personal and sensitive data.

However, the provided information does not explicitly discuss or analyze the impact of this vulnerability on compliance with specific regulations such as GDPR or HIPAA.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-41526. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart