CVE-2018-10895

Name of the Vulnerable Software and Affected Versions qutebrowser versions prior to 1.4.1

Description The issue allows malicious websites to access 'qute://*' URLs, potentially leading to arbitrary code execution. This can be achieved by loading a 'qute://settings/set' URL, which sets the editor.command to a bash script.

Recommendations For versions prior to 1.4.1, update to version 1.4.1 or later to resolve the issue. As a temporary workaround, consider restricting access to 'qute://*' URLs to prevent malicious websites from exploiting this flaw. Additionally, avoid using the editor.command variable to execute bash scripts until the issue is resolved.