CVE-2026-41526

Name of the Vulnerable Software and Affected Versions KDE KCoreAddons versions prior to 6.25

Description The KShell::quoteArgs() function is designed to safely quote arguments for shell commands. However, it fails to adequately handle metacharacters, which can lead to a shell escape. Applications using this method in security-critical paths to process user input are susceptible. Specifically, since sendInput() transmits strings to a terminal, a control character such as x01 can be utilized during the injection process.

Recommendations Update to version 6.25 or later.