EUVD-2026-20991CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N
Lifecycle Timeline
3Description
dde-control-center is the control panel of DDE, the Deepin Desktop Environment. plugin-deepinid is a plugin in dde-control-center, which provides the deepinid cloud service. Prior to 6.1.80, plugin-deepinid is configured to skip TLS certificate verification when fetching the user's avatar from openapi.deepin.com or other providers. An MITM attacker could intercept the traffic, replace the avatar with a malicious or misleading image, and potentially identify the user by the avatar. This vulnerability is fixed in dde-control-center 6.1.80 and 5.9.9.
Analysis
Man-in-the-middle attackers can intercept unverified TLS connections in dde-control-center versions prior to 6.1.80 and 5.9.9, allowing replacement of user avatar images fetched from openapi.deepin.com with malicious or misleading content, potentially enabling user identification or social engineering attacks. The vulnerability stems from disabled TLS certificate verification in the plugin-deepinid component and requires no authentication but does require user interaction to trigger avatar fetches.
Sign in for full analysis, threat intelligence, and remediation guidance.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today