Skip to main content

Kdenlive CVE-2026-45184

| EUVDEUVD-2026-28946 MEDIUM
Inclusion of Functionality from Untrusted Control Sphere (CWE-829)
2026-05-09 mitre GHSA-8mfr-c96w-64p5
6.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
6.5 MEDIUM
AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:L
SUSE
MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:L
Attack Vector
Local
Attack Complexity
High
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
Low

Lifecycle Timeline

3
Patch available
May 10, 2026 - 02:16 EUVD
Analysis Generated
May 09, 2026 - 23:30 vuln.today
CVE Published
May 09, 2026 - 22:25 nvd
MEDIUM 6.5

DescriptionCVE.org

Kdenlive before 26.04.1 allows dangerous proxy parameters when an attacker-controlled project file is used.

AnalysisAI

Kdenlive before version 26.04.1 permits arbitrary command execution through dangerous proxy parameters embedded in attacker-controlled project files. When a victim opens a malicious .kdenlive project file, the application processes untrusted proxy settings without sufficient validation, enabling code execution with the privileges of the user running Kdenlive. This requires user interaction (opening a file) but poses significant risk in contexts where project files are shared or downloaded from untrusted sources.

Technical ContextAI

Kdenlive is a free and open-source video editing application built on the KDE framework. The vulnerability stems from improper sanitization of proxy configuration parameters loaded from project XML files (CWE-829: Improper Initialization with Hard-Coded Network Resource Configuration Data). The proxy mechanism, likely used for streaming or remote media processing, fails to validate parameters before passing them to system commands or network libraries. The KDE project uses Git-based version control, and the referenced commits (94042ddd259551e4a7a5f6672329752972c84685 and c3999aacc6da54756f3df8aab03b900459562ecd) indicate patches were applied to restrict proxy parameter handling.

RemediationAI

Upgrade Kdenlive to version 26.04.1 or later immediately. Users should obtain the patched version from the KDE official website (https://kdenlive.org) or their system package manager. Until patching is possible, avoid opening .kdenlive project files from untrusted or unexpected sources, and disable network proxy functionality in Kdenlive settings if it is not actively required for your workflow. Do not share project files with untrusted collaborators until both parties have upgraded. The Git commits referenced (94042ddd259551e4a7a5f6672329752972c84685 and c3999aacc6da54756f3df8aab03b900459562ecd) are available in the KDE Kdenlive repository and represent the upstream fixes; however, verification that these commits are included in the 26.04.1 release should be performed by checking the official KDE release notes.

Vendor StatusVendor

SUSE

Severity: Medium

Share

CVE-2026-45184 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy