Skip to main content

Pcmanfm Qt EUVDEUVD-2026-31487

| CVE-2026-48700 CRITICAL
Improper Control of Dynamically-Managed Code Resources (CWE-913)
2026-05-22 mitre GHSA-j7mp-frq8-hwp3
Critical
Disputed · 9.3 NVD
Share

Severity by source

Sources disagree (Medium–Critical)
NVD PRIMARY
9.3 CRITICAL
CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/AU:N/R:I/V:D/RE:M/U:Clear
SUSE
MEDIUM
qualitative

vuln.today treats the vendor’s rating as authoritative. A higher third-party CVSS (e.g. CISA-ADP) is shown for transparency but does not drive the headline severity.

CVSS VectorNVD

CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/AU:N/R:I/V:D/RE:M/U:Clear
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None

Lifecycle Timeline

1
CVE Published
May 22, 2026 - 18:43 nvd
UNKNOWN (no severity yet)

DescriptionCVE.org

An issue was discovered in all versions of PCManFM-Qt starting from 1.1.0. When a regular file's path is passed as a URI in an org.freedesktop.FileManager1.ShowFolders D-Bus method call, PCManFM-Qt delegates to a different program (based on the file type) without user confirmation. This could be used to achieve code execution or circumvent network namespace restrictions. NOTE: those outcomes are potentially unwanted by most users; however, the behavior of the product does comply with the applicable specification, and a simplistic solution (ensuring that the URI does not name a regular file) may have adverse consequences for I/O.

Analysis

An issue was discovered in all versions of PCManFM-Qt starting from 1.1.0. When a regular file's path is passed as a URI in an org.freedesktop.FileManager1.ShowFolders D-Bus method call, PCManFM-Qt delegates to a different program (based on the file type) without user confirmation. This could be used to achieve code execution or circumvent network namespace restrictions. NOTE: those outcomes are potentially unwanted by most users; however, the behavior of the product does comply with the applicable specification, and a simplistic solution (ensuring that the URI does not name a regular file) may have adverse consequences for I/O.

Vendor StatusVendor

SUSE

Severity: Moderate

Share

EUVD-2026-31487 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy