CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 0CVE-2026-45184
https://notcve.org/view.php?id=CVE-2026-45184
09 May 2026 — Kdenlive before 26.04.1 allows dangerous proxy parameters when an attacker-controlled project file is used. • https://commits.kde.org/kdenlive/94042ddd259551e4a7a5f6672329752972c84685 • CWE-829: Inclusion of Functionality from Untrusted Control Sphere •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 0CVE-2026-41525
https://notcve.org/view.php?id=CVE-2026-41525
28 Apr 2026 — KDE Dolphin before 25.12.3 allows applications in a Flatpak (or with AppArmor confinement) to open folders outside of the application sandbox without additional scrutiny. Dolphin's implementation of the FileManager1 protocol allows the path given to be any type of file, including scripts or executables. (By default, Dolphin will then prompt the user to determine if they want to launch a script or executable; however, the intended behavior is to block the attempted action, not present a consent prompt.) • https://github.com/KDE/dolphin/releases/tag/v25.12.3 • CWE-669: Incorrect Resource Transfer Between Spheres •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 0CVE-2026-41526
https://notcve.org/view.php?id=CVE-2026-41526
28 Apr 2026 — In KDE KCoreAddons before 6.25, KShell::quoteArgs is intended to safely quote arguments so that they can be passed to a shell command. This parsing does not adequately handle metacharacters, leading to an escape from the shell. All applications relying on this method in a security-critical path to handle user input are affected and could be exploited. In particular, because sendInput() sends a string to a terminal, a control character such as \x01 can be used during injection. • https://github.com/KDE/kcoreaddons/blob/50d360736c399502fedf203e95482b0d0e5a3ea2/src/lib/util/kshell.h#L168 • CWE-150: Improper Neutralization of Escape, Meta, or Control Sequences •
CVSS: 4.0EPSS: 0%CPEs: 1EXPL: 0CVE-2026-42095
https://notcve.org/view.php?id=CVE-2026-42095
24 Apr 2026 — bookserver in KDE Arianna before 26.04.1 allows attackers to read files over a socket connection by guessing a URL. • https://github.com/KDE/arianna/tags • CWE-306: Missing Authentication for Critical Function •
CVSS: 6.9EPSS: 0%CPEs: 1EXPL: 0CVE-2026-41527
https://notcve.org/view.php?id=CVE-2026-41527
21 Apr 2026 — KDE Kleopatra before 26.08.0 on Windows allows local users to obtain the privileges of a Kleopatra user, because there is an error in the mechanism (KUniqueService) for ensuring that only one instance is running. • https://commits.kde.org/kleopatra/73471abb92d99c56354adb582bfaec2764c22b79 • CWE-670: Always-Incorrect Control Flow Implementation •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2025-66002 – Local users can perform arbitrary unmounts via smb4k mount helper due to lack of input validation
https://notcve.org/view.php?id=CVE-2025-66002
01 Jan 2026 — An Improper Neutralization of Argument Delimiters in a Command ('Argument Injection') vulnerability allows local users ton perform arbitrary unmounts via smb4k mount helper Two vulnerabilities were discovered in smb4k, a KDE desktop utility which allows unprivileged mounting of Samba/CIFS network shares, which may result in local denial of service or local privilege escalation. For the stable distribution (trixie), these problems have been fixed in version 4.0.0-1+deb13u1. • https://bugzilla.suse.com/show_bug.cgi?id=CVE-2025-66002 • CWE-88: Improper Neutralization of Argument Delimiters in a Command ('Argument Injection') •
CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 0CVE-2025-66003 – Local users can perform a local root exploit via smb4k mounthelper
https://notcve.org/view.php?id=CVE-2025-66003
01 Jan 2026 — An External Control of File Name or Path vulnerability in smb4k allowsl ocal users to perform a local root exploit via smb4k mounthelper if they can access and control the contents of a Samba shareThis issue affects smb4k: from ? before 4.0.5. Two vulnerabilities were discovered in smb4k, a KDE desktop utility which allows unprivileged mounting of Samba/CIFS network shares, which may result in local denial of service or local privilege escalation. For the stable distribution (trixie), these problems have be... • https://bugzilla.suse.com/show_bug.cgi?id=CVE-2025-66003 • CWE-73: External Control of File Name or Path •
CVSS: 3.4EPSS: 0%CPEs: 1EXPL: 0CVE-2025-69412
https://notcve.org/view.php?id=CVE-2025-69412
31 Dec 2025 — KDE messagelib before 25.11.90 ignores SSL errors for threatMatches:find in the Google Safe Browsing Lookup API (aka phishing API), which might allow spoofing of threat data. NOTE: this Lookup API is not contacted in the messagelib default configuration. • https://developers.google.com/safe-browsing/v4 • CWE-295: Improper Certificate Validation •
CVSS: 4.7EPSS: 0%CPEs: 3EXPL: 0CVE-2025-32898
https://notcve.org/view.php?id=CVE-2025-32898
05 Dec 2025 — The KDE Connect verification-code protocol before 2025-04-18 uses only 8 characters and therefore allows brute-force attacks. This affects KDE Connect before 1.33.0 on Android, KDE Connect before 25.04 on desktop, KDE Connect before 0.5 on iOS, Valent before 1.0.0.alpha.47, and GSConnect before 59. • https://kde.org/info/security/advisory-20250418-3.txt • CWE-331: Insufficient Entropy •
CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 0CVE-2025-32899
https://notcve.org/view.php?id=CVE-2025-32899
05 Dec 2025 — In KDE Connect before 1.33.0 on Android, a packet can be crafted that causes two paired devices to unpair. Specifically, it is an invalid discovery packet sent over broadcast UDP. • https://kde.org/info/security/advisory-20250418-1.txt • CWE-1250: Improper Preservation of Consistency Between Independent Representations of Shared State •