Command Injection Vulnerability in KDE KCoreAddons Affects User Input Handling
CVE-2026-41526

6.5MEDIUM

Key Information:

Vendor: Kde
Status: Kcoreaddons
Vendor: CVE Published:; 28 April 2026

What is CVE-2026-41526?

KDE KCoreAddons prior to version 6.25 contains a vulnerability in the KShell::quoteArgs function, which is designed to securely quote arguments for shell commands. The function's failure to properly handle metacharacters allows attackers to escape the shell context, potentially leading to command injection. This issue can be exploited particularly through the sendInput() method, enabling malicious control characters to be injected into a terminal command. Applications that rely on this function for security-sensitive user input are at risk of exploitation, emphasizing the need for immediate updates and code review.

Affected Version(s)

KCoreAddons 0 < 6.25

References

https://invent.kde.org/frameworks/kcoreaddons/

https://github.com/KDE/kcoreaddons/blob/50d360736c399502f...

CVSS V3.1

Score:

6.5

Severity:

MEDIUM

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Local

Attack Complexity:

High

Privileges Required:

None

User Interaction:

Required

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 28, 2026
Vulnerability Reserved
Apr 20, 2026

CVE-2026-41526 Data

JSON

Kde

What is CVE-2026-41526?

Affected Version(s)

References

CVSS V3.1

Timeline