Severity by source
AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:L
Primary rating from NVD.
CVSS VectorNVD
CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:L
Lifecycle Timeline
6DescriptionCVE.org
In KDE KCoreAddons before 6.25, KShell::quoteArgs is intended to safely quote arguments so that they can be passed to a shell command. This parsing does not adequately handle metacharacters, leading to an escape from the shell. All applications relying on this method in a security-critical path to handle user input are affected and could be exploited. In particular, because sendInput() sends a string to a terminal, a control character such as \x01 can be used during injection.
AnalysisAI
KDE KCoreAddons before version 6.25 contains an improper neutralization of special elements vulnerability in the KShell::quoteArgs() function that fails to safely escape metacharacters and control characters, allowing local attackers with user interaction to inject arbitrary shell commands or terminal control sequences when user input is passed to shell execution contexts. Applications using this method to quote arguments for security-critical operations are affected; exploitation requires local access and user interaction but can achieve arbitrary code execution with user privileges.
Technical ContextAI
KShell::quoteArgs() is a utility function in KDE KCoreAddons designed to safely escape shell arguments by quoting them before passing to system shell execution. The vulnerability stems from inadequate handling of metacharacters as defined in CWE-150 (Improper Neutralization of Input Leaders in Data Stories). The root cause is that the quoting mechanism does not properly neutralize all special shell characters and control sequences, particularly control characters like \x01 which can be injected via the sendInput() terminal I/O function. This allows escape from the intended shell quoting context. The vulnerability affects any KDE-based application or library that depends on KCoreAddons and uses KShell::quoteArgs() in a security-critical context when processing untrusted user input destined for shell execution.
RemediationAI
Upgrade KDE KCoreAddons to version 6.25.0 or later. Distributions should update their KCoreAddons package and rebuild any dependent applications (particularly KDE Plasma components and applications). For environments unable to immediately upgrade, limit use of KShell::quoteArgs() in security-critical contexts; review application code using this function and replace with alternative argument-passing mechanisms that do not rely on shell quoting (such as direct execve() with argument arrays rather than shell string construction). Disable shell execution paths in applications where feasible, or implement additional input validation and sanitization above the KShell layer to filter control characters and metacharacters before passing to quoting functions. The official KDE security advisory at https://kde.org/info/security/advisory-20260427-1.txt provides vendor guidance on affected applications and recommended upgrade timelines.
Same technique Code Injection
View allVendor StatusVendor
SUSE
Severity: Medium| Product | Status |
|---|---|
| SUSE Linux Enterprise Module for Package Hub 15 SP7 | Fixed |
| SUSE Linux Enterprise Module for Package Hub 15 SP6 | Fixed |
| openSUSE Leap 15.6 | Fixed |
Share
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-26004