Miguel Onoro

**Name of the Vulnerable Software and Affected Versions** qBittorrent versions prior to 4.1.7 **Description** The issue is related to the function Application::runExternalProgram() located in app/application.cpp, which allows command injection via shell metacharacters in the `torrent name` parameter or `current tracker` parameter. This could enable a remote attacker to gain unauthorized access to confidential data, cause a denial of service, or impact data integrity. Additionally, there was a lack of SSL/TLS certificate verification in the DownloadManager component, allowing for potential MITM attacks. **Recommendations** For versions prior to 4.1.7, update to version 4.1.7 or later to resolve the issue. As a temporary workaround, consider disabling the `runExternalProgram()` function until a patch is available. Restrict access to the DownloadManager component to minimize the risk of exploitation. Avoid using special characters in the `torrent name` parameter or `current tracker` parameter in the affected API endpoint until the issue is resolved.