VIR Vulnerability Intelligence Relay

CVE-2026-41525

medium
Published 2026-04-28 · Modified 2026-05-19
CVSS v3
6.5
CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:L
CVSS v2
VIR risk
6.5

Description

KDE Dolphin before 25.12.3 allows applications in a Flatpak (or with AppArmor confinement) to open folders outside of the application sandbox without additional scrutiny. Dolphin's implementation of the FileManager1 protocol allows the path given to be any type of file, including scripts or executables. (By default, Dolphin will then prompt the user to determine if they want to launch a script or executable; however, the intended behavior is to block the attempted action, not present a consent prompt.)

Predictions

Exploit likelihood
65%
Patch ETA

Heuristic predictions, AS-IS, for prioritization only.

Mitigations

vendor Authored 2026-05-27

Vendor advisory: debian — https://security-tracker.debian.org/tracker/CVE-2026-41525

OS impact
OSVersionStatusFixed in
debian debianbookwormaffected
debian debianbullseyeaffected
debian debianforkyfixed4:26.04.0-1
debian debiansidfixed4:26.04.0-1
debian debiantrixieaffected

References

CWEs

CWE-669

Verify integrity in audit chain (admin only). AS-IS.