CVE Tools

kde

Operating SystemsDEoss-project

161

Cumulative CVEs

75

Monthly snapshots

#2

Peak rank

Top products

kdeconnect2 kde connect information-exchange protocol1 kde connect protocol1

Latest CVEs

The 15 most recently published vulnerabilities affecting kde.

CVE-2026-45184Kdenlive before 26.04.1 allows dangerous proxy parameters when an attacker-controlled project file is used.6.5May 9, 2026
CVE-2026-41526In KDE KCoreAddons before 6.25, KShell::quoteArgs is intended to safely quote arguments so that they can be passed to a shell command. This parsing does not adequately handle metacharacters, leadin...6.5Apr 28, 2026
CVE-2026-41525KDE Dolphin before 25.12.3 allows applications in a Flatpak (or with AppArmor confinement) to open folders outside of the application sandbox without additional scrutiny. Dolphin's implementation o...6.5Apr 28, 2026
CVE-2026-42095bookserver in KDE Arianna before 26.04.1 allows attackers to read files over a socket connection by guessing a URL.4.0Apr 24, 2026
CVE-2026-41527KDE Kleopatra before 26.08.0 on Windows allows local users to obtain the privileges of a Kleopatra user, because there is an error in the mechanism (KUniqueService) for ensuring that only one insta...6.9Apr 21, 2026
CVE-2025-69412KDE messagelib before 25.11.90 ignores SSL errors for threatMatches:find in the Google Safe Browsing Lookup API (aka phishing API), which might allow spoofing of threat data. NOTE: this Lookup API ...3.4Dec 31, 2025
CVE-2025-66270The KDE Connect protocol 8 before 2025-11-28 does not correlate device IDs across two packets. This affects KDE Connect before 25.12 on desktop, KDE Connect before 0.5.4 on iOS, KDE Connect before ...4.7Dec 5, 2025
CVE-2025-32901In KDE Connect before 1.33.0 on Android, malicious device IDs (sent via broadcast UDP) could cause an application crash.4.3Dec 5, 2025
CVE-2025-32900In the KDE Connect information-exchange protocol before 2025-04-18, a packet can be crafted to temporarily change the displayed information about a device, because broadcast UDP is used. This affec...4.3Dec 5, 2025
CVE-2025-32899In KDE Connect before 1.33.0 on Android, a packet can be crafted that causes two paired devices to unpair. Specifically, it is an invalid discovery packet sent over broadcast UDP.4.3Dec 5, 2025
CVE-2025-32898The KDE Connect verification-code protocol before 2025-04-18 uses only 8 characters and therefore allows brute-force attacks. This affects KDE Connect before 1.33.0 on Android, KDE Connect before 2...4.7Dec 5, 2025
CVE-2025-59820In KDE Krita before 5.2.13, loading a manipulated TGA file could result in a heap-based buffer overflow in plugins/impex/tga/kis_tga_import.cpp (aka KisTgaImport). Control flow proceeds even when a...6.7Nov 26, 2025
CVE-2025-55174In KDE Skanpage before 25.08.0, an attempt at file overwrite can result in the contents of the new file at the beginning followed by the partial contents of the old file at the end, because of use ...3.2Nov 26, 2025
CVE-2025-49091KDE Konsole before 25.04.2 allows remote code execution in a certain scenario. It supports loading URLs from the scheme handlers such as a ssh:// or telnet:// or rlogin:// URL. This can be executed...8.2Jun 11, 2025
CVE-2024-57966libarchiveplugin.cpp in KDE ark before 24.12.0 can extract to an absolute path from an archive.5.0Feb 3, 2025