{"dataType": "CVE_RECORD", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2026-41526", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "dateUpdated": "2026-04-28T13:07:56.176Z", "dateReserved": "2026-04-20T00:00:00.000Z", "datePublished": "2026-04-28T00:00:00.000Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "KCoreAddons", "vendor": "KDE", "versions": [{"lessThan": "6.25", "status": "affected", "version": "0", "versionType": "custom"}]}], "descriptions": [{"lang": "en", "value": "In KDE KCoreAddons before 6.25, KShell::quoteArgs is intended to safely quote arguments so that they can be passed to a shell command. This parsing does not adequately handle metacharacters, leading to an escape from the shell. All applications relying on this method in a security-critical path to handle user input are affected and could be exploited. In particular, because sendInput() sends a string to a terminal, a control character such as \\x01 can be used during injection."}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "LOCAL", "availabilityImpact": "LOW", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:L", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-150", "description": "CWE-150 Improper Neutralization of Escape, Meta, or Control Sequences", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2026-04-28T06:52:22.174Z"}, "references": [{"url": "https://invent.kde.org/frameworks/kcoreaddons/"}, {"url": "https://github.com/KDE/kcoreaddons/blob/50d360736c399502fedf203e95482b0d0e5a3ea2/src/lib/util/kshell.h#L43-L49"}, {"url": "https://github.com/KDE/kcoreaddons/blob/50d360736c399502fedf203e95482b0d0e5a3ea2/src/lib/util/kshell.h#L168"}, {"url": "https://github.com/KDE/kcoreaddons/releases/tag/v6.25.0"}, {"url": "https://kde.org/info/security/advisory-20260427-1.txt"}], "x_generator": {"engine": "enrichogram 0.0.1"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-28T13:00:44.980535Z", "id": "CVE-2026-41526", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-28T13:07:56.176Z"}}]}, "dataVersion": "5.2"}

{"dataType": "CVE_RECORD", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2026-41526", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "dateUpdated": "2026-04-28T13:07:56.176Z", "dateReserved": "2026-04-20T00:00:00.000Z", "datePublished": "2026-04-28T00:00:00.000Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "KCoreAddons", "vendor": "KDE", "versions": [{"lessThan": "6.25", "status": "affected", "version": "0", "versionType": "custom"}]}], "descriptions": [{"lang": "en", "value": "In KDE KCoreAddons before 6.25, KShell::quoteArgs is intended to safely quote arguments so that they can be passed to a shell command. This parsing does not adequately handle metacharacters, leading to an escape from the shell. All applications relying on this method in a security-critical path to handle user input are affected and could be exploited. In particular, because sendInput() sends a string to a terminal, a control character such as \\x01 can be used during injection."}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "LOCAL", "availabilityImpact": "LOW", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:L", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-150", "description": "CWE-150 Improper Neutralization of Escape, Meta, or Control Sequences", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2026-04-28T06:52:22.174Z"}, "references": [{"url": "https://invent.kde.org/frameworks/kcoreaddons/"}, {"url": "https://github.com/KDE/kcoreaddons/blob/50d360736c399502fedf203e95482b0d0e5a3ea2/src/lib/util/kshell.h#L43-L49"}, {"url": "https://github.com/KDE/kcoreaddons/blob/50d360736c399502fedf203e95482b0d0e5a3ea2/src/lib/util/kshell.h#L168"}, {"url": "https://github.com/KDE/kcoreaddons/releases/tag/v6.25.0"}, {"url": "https://kde.org/info/security/advisory-20260427-1.txt"}], "x_generator": {"engine": "enrichogram 0.0.1"}}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-41526", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-28T13:00:44.980535Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-28T13:03:33.729Z"}}]}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:kde:kcoreaddons:*:*:*:*:*:*:*:*", "matchCriteriaId": "B9E0D1D8-4EAB-491A-8678-D3183FA933CB", "versionEndExcluding": "6.25.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "In KDE KCoreAddons before 6.25, KShell::quoteArgs is intended to safely quote arguments so that they can be passed to a shell command. This parsing does not adequately handle metacharacters, leading to an escape from the shell. All applications relying on this method in a security-critical path to handle user input are affected and could be exploited. In particular, because sendInput() sends a string to a terminal, a control character such as \\x01 can be used during injection."}], "id": "CVE-2026-41526", "lastModified": "2026-05-05T17:25:06.683", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "LOCAL", "availabilityImpact": "LOW", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:L", "version": "3.1"}, "exploitabilityScore": 1.0, "impactScore": 5.5, "source": "cve@mitre.org", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2026-04-28T08:16:01.647", "references": [{"source": "cve@mitre.org", "tags": ["Product"], "url": "https://github.com/KDE/kcoreaddons/blob/50d360736c399502fedf203e95482b0d0e5a3ea2/src/lib/util/kshell.h#L168"}, {"source": "cve@mitre.org", "tags": ["Product"], "url": "https://github.com/KDE/kcoreaddons/blob/50d360736c399502fedf203e95482b0d0e5a3ea2/src/lib/util/kshell.h#L43-L49"}, {"source": "cve@mitre.org", "tags": ["Release Notes"], "url": "https://github.com/KDE/kcoreaddons/releases/tag/v6.25.0"}, {"source": "cve@mitre.org", "tags": ["Product"], "url": "https://invent.kde.org/frameworks/kcoreaddons/"}, {"source": "cve@mitre.org", "tags": ["Vendor Advisory"], "url": "https://kde.org/info/security/advisory-20260427-1.txt"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-150"}], "source": "cve@mitre.org", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,6.25)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "KCoreAddons", "source": "cna", "vendor": "KDE"}, "product": "kcoreaddons", "vendor": "kde"}], "analysis": {"en": {"generated_at": "2026-04-28T12:36:42.906027+00:00", "value": {"mitigation_remediation": ["Upgrade KDE KCoreAddons to version 6.25 or later.", "Ensure all applications that rely on KShell::quoteArgs have been updated or patched to the fixed version.", "If an update is not possible, restrict or sanitize input passed to sendInput() to remove control characters and prevent shell escape."], "summary": {"action": "Apply Patch", "impact": "Shell Escape and Potential Injection"}, "threat_synthesis": {"affected_systems": "KDE KCoreAddons under the KDE:KCoreAddons vendor is affected in all releases prior to version 6.25. Any application that calls KShell::quoteArgs in a security\u2011critical path, especially those that forward user input to a terminal via sendInput(), is at risk.", "description_and_impact": "KShell::quoteArgs in KDE KCoreAddons was designed to wrap command line arguments but does not correctly escape all metacharacters. This flaw allows an attacker to craft input that escapes the intended shell context, using characters such as \\x01. The result is that arbitrary shell commands can be injected where the function is used, potentially executing code with the privileges of the application. This is a classic shell injection flaw described by CWE-150.", "risk_and_exploitability": "The CVSS score of 6.5 indicates moderate severity, but the lack of an available EPSS score means the exploitation probability cannot be quantified. The vulnerability is not listed in the CISA KEV catalog. Attackers would likely need local or application level access to provide malicious input; the flaw does not expose a network\u2011exposed attack vector. Nevertheless, because the vulnerability can result in arbitrary command execution, it should be treated with caution."}}}}, "created": "2026-04-28T09:16:39.010579+00:00", "title": "Shell Argument Quoting Vulnerability Leading to Escape in KCoreAddons", "updated": "2026-04-28T12:45:31.387220+00:00", "vendors": ["kde", "kde$PRODUCT$kcoreaddons"]}