Severity by source
AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:L
Primary rating from NVD.
CVSS VectorNVD
CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:L
Lifecycle Timeline
3DescriptionCVE.org
Kdenlive before 26.04.1 allows dangerous proxy parameters when an attacker-controlled project file is used.
AnalysisAI
Kdenlive before version 26.04.1 permits arbitrary command execution through dangerous proxy parameters embedded in attacker-controlled project files. When a victim opens a malicious .kdenlive project file, the application processes untrusted proxy settings without sufficient validation, enabling code execution with the privileges of the user running Kdenlive. This requires user interaction (opening a file) but poses significant risk in contexts where project files are shared or downloaded from untrusted sources.
Technical ContextAI
Kdenlive is a free and open-source video editing application built on the KDE framework. The vulnerability stems from improper sanitization of proxy configuration parameters loaded from project XML files (CWE-829: Improper Initialization with Hard-Coded Network Resource Configuration Data). The proxy mechanism, likely used for streaming or remote media processing, fails to validate parameters before passing them to system commands or network libraries. The KDE project uses Git-based version control, and the referenced commits (94042ddd259551e4a7a5f6672329752972c84685 and c3999aacc6da54756f3df8aab03b900459562ecd) indicate patches were applied to restrict proxy parameter handling.
RemediationAI
Upgrade Kdenlive to version 26.04.1 or later immediately. Users should obtain the patched version from the KDE official website (https://kdenlive.org) or their system package manager. Until patching is possible, avoid opening .kdenlive project files from untrusted or unexpected sources, and disable network proxy functionality in Kdenlive settings if it is not actively required for your workflow. Do not share project files with untrusted collaborators until both parties have upgraded. The Git commits referenced (94042ddd259551e4a7a5f6672329752972c84685 and c3999aacc6da54756f3df8aab03b900459562ecd) are available in the KDE Kdenlive repository and represent the upstream fixes; however, verification that these commits are included in the 26.04.1 release should be performed by checking the official KDE release notes.
Same technique Information Disclosure
View allVendor StatusVendor
SUSE
Severity: MediumShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-28946
GHSA-8mfr-c96w-64p5