CVSS: 2.7EPSS: 0%CPEs: 1EXPL: 0CVE-2025-52968
https://notcve.org/view.php?id=CVE-2025-52968
23 Jun 2025 — xdg-open in xdg-utils through 1.2.1 can send requests containing SameSite=Strict cookies, which can facilitate CSRF. (For example, xdg-open could be modified to, by default, associate x-scheme-handler/https with the execution of a browser with command-line options that arrange for an empty cookie store, although this would add substantial complexity, and would not be considered a desirable or expected behavior by all users.) NOTE: this is disputed because integrations of xdg-open typically do not provide in... • https://cgit.freedesktop.org/xdg/xdg-utils/tag/?h=v1.2.1 • CWE-420: Unprotected Alternate Channel •
CVSS: 8.8EPSS: 1%CPEs: 8EXPL: 0CVE-2017-18266 – Ubuntu Security Notice USN-3650-1
https://notcve.org/view.php?id=CVE-2017-18266
10 May 2018 — The open_envvar function in xdg-open in xdg-utils before 1.1.3 does not validate strings before launching the program specified by the BROWSER environment variable, which might allow remote attackers to conduct argument-injection attacks via a crafted URL, as demonstrated by %s in this environment variable. La función open_envvar en xdg-open en xdg-utils en versiones anteriores a la 1.1.3 no valida cadenas antes de iniciar el programa especificado por la variable de entorno BROWSER. Esto permite que atacant... • https://bugs.freedesktop.org/show_bug.cgi?id=103807 • CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') •
CVSS: 8.8EPSS: 1%CPEs: 2EXPL: 0CVE-2009-0068
https://notcve.org/view.php?id=CVE-2009-0068
07 Jan 2009 — Interaction error in xdg-open allows remote attackers to execute arbitrary code by sending a file with a dangerous MIME type but using a safe type that Firefox sends to xdg-open, which causes xdg-open to process the dangerous file type through automatic type detection, as demonstrated by overwriting the .desktop file. Error de interacción en xdg-open permite a atacantes remotos ejecutar código de su elección enviando un archivo con un tipo MIME peligroso pero utilizando un tipo seguro que Firefox envía a xd... • http://www.openwall.com/lists/oss-security/2009/01/06/1 • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 9.8EPSS: 2%CPEs: 5EXPL: 6CVE-2008-0386 – Gentoo Linux Security Advisory 200801-21
https://notcve.org/view.php?id=CVE-2008-0386
01 Feb 2008 — Xdg-utils 1.0.2 and earlier allows user-assisted remote attackers to execute arbitrary commands via shell metacharacters in a URL argument to (1) xdg-open or (2) xdg-email. Xdg-utils 1.0.2 y versiones anteriores permite a atacantes remotos ayudados por un usuario ejecutar comandos de su elección a través de metacaracteres de consola en un argumento URL a (1) xdg-open or (2) xdg-email. A vulnerability was found in xdg-open and xdg-email commands, which allows remote attackers to execute arbitrary commands if... • http://bugs.gentoo.org/show_bug.cgi?id=207331 • CWE-20: Improper Input Validation •