{ "document":{ "aggregate_severity":{ "namespace":"https://nvd.nist.gov/vuln-metrics/cvss", "text":"High" }, "category":"csaf_vex", "csaf_version":"2.0", "distribution":{ "tlp":{ "label":"WHITE", "url":"https:/www.first.org/tlp/" } }, "lang":"en", "notes":[ { "text":"kf5-kcoreaddons security update", "category":"general", "title":"Synopsis" }, { "text":"An update for kf5-kcoreaddons is now available for openEuler-24.03-LTS-SP1", "category":"general", "title":"Summary" }, { "text":"KCoreAddons provides classes built on top of QtCore to perform various tasks such as manipulating mime types, autosaving files, creating backup files, generating random sequences, performing text manipulations such as macro replacement, accessing user information and many more.\n\nSecurity Fix(es):\n\nIn KDE KCoreAddons before 6.25, KShell::quoteArgs is intended to safely quote arguments so that they can be passed to a shell command. This parsing does not adequately handle metacharacters, leading to an escape from the shell. All applications relying on this method in a security-critical path to handle user input are affected and could be exploited. In particular, because sendInput() sends a string to a terminal, a control character such as \\x01 can be used during injection.(CVE-2026-41526)", "category":"general", "title":"Description" }, { "text":"An update for kf5-kcoreaddons is now available for openEuler-24.03-LTS-SP1.\n\nopenEuler Security has rated this update as having a security impact of high. A Common Vunlnerability Scoring System(CVSS)base score,which gives a detailed severity rating, is available for each vulnerability from the CVElink(s) in the References section.", "category":"general", "title":"Topic" }, { "text":"High", "category":"general", "title":"Severity" }, { "text":"kf5-kcoreaddons", "category":"general", "title":"Affected Component" } ], "publisher":{ "issuing_authority":"openEuler security committee", "name":"openEuler", "namespace":"https://www.openeuler.org", "contact_details":"openeuler-security@openeuler.org", "category":"vendor" }, "references":[ { "summary":"openEuler-SA-2026-2604", "category":"self", "url":"https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2026-2604" }, { "summary":"CVE-2026-41526", "category":"self", "url":"https://www.openeuler.org/en/security/cve/detail/?cveId=CVE-2026-41526&packageName=kf5-kcoreaddons" }, { "summary":"nvd cve", "category":"external", "url":"https://nvd.nist.gov/vuln/detail/CVE-2026-41526" }, { "summary":"openEuler-SA-2026-2604 vex file", "category":"self", "url":"https://repo.openeuler.org/security/data/csaf/advisories/2026/csaf-openeuler-sa-2026-2604.json" } ], "title":"An update for kf5-kcoreaddons is now available for openEuler-24.03-LTS-SP1", "tracking":{ "initial_release_date":"2026-06-08T15:01:42+08:00", "revision_history":[ { "date":"2026-06-08T15:01:42+08:00", "summary":"Initial", "number":"1.0.0" } ], "generator":{ "date":"2026-06-08T15:01:42+08:00", "engine":{ "name":"openEuler CSAF Tool V1.0" } }, "current_release_date":"2026-06-08T15:01:42+08:00", "id":"openEuler-SA-2026-2604", "version":"1.0.0", "status":"final" } }, "product_tree":{ "branches":[ { "name":"openEuler", "category":"vendor", "branches":[ { "name":"openEuler", "branches":[ { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:24.03-LTS-SP1" }, "product_id":"openEuler-24.03-LTS-SP1", "name":"openEuler-24.03-LTS-SP1" }, "name":"openEuler-24.03-LTS-SP1", "category":"product_version" } ], "category":"product_name" }, { "name":"aarch64", "branches":[ { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:24.03-LTS-SP1" }, "product_id":"kf5-kcoreaddons-5.113.0-3.oe2403sp1.aarch64.rpm", "name":"kf5-kcoreaddons-5.113.0-3.oe2403sp1.aarch64.rpm" }, "name":"kf5-kcoreaddons-5.113.0-3.oe2403sp1.aarch64.rpm", "category":"product_version" }, { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:24.03-LTS-SP1" }, "product_id":"kf5-kcoreaddons-debuginfo-5.113.0-3.oe2403sp1.aarch64.rpm", "name":"kf5-kcoreaddons-debuginfo-5.113.0-3.oe2403sp1.aarch64.rpm" }, "name":"kf5-kcoreaddons-debuginfo-5.113.0-3.oe2403sp1.aarch64.rpm", "category":"product_version" }, { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:24.03-LTS-SP1" }, "product_id":"kf5-kcoreaddons-debugsource-5.113.0-3.oe2403sp1.aarch64.rpm", "name":"kf5-kcoreaddons-debugsource-5.113.0-3.oe2403sp1.aarch64.rpm" }, "name":"kf5-kcoreaddons-debugsource-5.113.0-3.oe2403sp1.aarch64.rpm", "category":"product_version" }, { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:24.03-LTS-SP1" }, "product_id":"kf5-kcoreaddons-devel-5.113.0-3.oe2403sp1.aarch64.rpm", "name":"kf5-kcoreaddons-devel-5.113.0-3.oe2403sp1.aarch64.rpm" }, "name":"kf5-kcoreaddons-devel-5.113.0-3.oe2403sp1.aarch64.rpm", "category":"product_version" } ], "category":"architecture" }, { "name":"src", "branches":[ { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:24.03-LTS-SP1" }, "product_id":"kf5-kcoreaddons-5.113.0-3.oe2403sp1.src.rpm", "name":"kf5-kcoreaddons-5.113.0-3.oe2403sp1.src.rpm" }, "name":"kf5-kcoreaddons-5.113.0-3.oe2403sp1.src.rpm", "category":"product_version" } ], "category":"architecture" }, { "name":"x86_64", "branches":[ { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:24.03-LTS-SP1" }, "product_id":"kf5-kcoreaddons-5.113.0-3.oe2403sp1.x86_64.rpm", "name":"kf5-kcoreaddons-5.113.0-3.oe2403sp1.x86_64.rpm" }, "name":"kf5-kcoreaddons-5.113.0-3.oe2403sp1.x86_64.rpm", "category":"product_version" }, { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:24.03-LTS-SP1" }, "product_id":"kf5-kcoreaddons-debuginfo-5.113.0-3.oe2403sp1.x86_64.rpm", "name":"kf5-kcoreaddons-debuginfo-5.113.0-3.oe2403sp1.x86_64.rpm" }, "name":"kf5-kcoreaddons-debuginfo-5.113.0-3.oe2403sp1.x86_64.rpm", "category":"product_version" }, { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:24.03-LTS-SP1" }, "product_id":"kf5-kcoreaddons-debugsource-5.113.0-3.oe2403sp1.x86_64.rpm", "name":"kf5-kcoreaddons-debugsource-5.113.0-3.oe2403sp1.x86_64.rpm" }, "name":"kf5-kcoreaddons-debugsource-5.113.0-3.oe2403sp1.x86_64.rpm", "category":"product_version" }, { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:24.03-LTS-SP1" }, "product_id":"kf5-kcoreaddons-devel-5.113.0-3.oe2403sp1.x86_64.rpm", "name":"kf5-kcoreaddons-devel-5.113.0-3.oe2403sp1.x86_64.rpm" }, "name":"kf5-kcoreaddons-devel-5.113.0-3.oe2403sp1.x86_64.rpm", "category":"product_version" } ], "category":"architecture" } ] } ], "relationships":[ { "relates_to_product_reference":"openEuler-24.03-LTS-SP1", "product_reference":"kf5-kcoreaddons-5.113.0-3.oe2403sp1.aarch64.rpm", "full_product_name":{ "product_id":"openEuler-24.03-LTS-SP1:kf5-kcoreaddons-5.113.0-3.oe2403sp1.aarch64", "name":"kf5-kcoreaddons-5.113.0-3.oe2403sp1.aarch64 as a component of openEuler-24.03-LTS-SP1" }, "category":"default_component_of" }, { "relates_to_product_reference":"openEuler-24.03-LTS-SP1", "product_reference":"kf5-kcoreaddons-debuginfo-5.113.0-3.oe2403sp1.aarch64.rpm", "full_product_name":{ "product_id":"openEuler-24.03-LTS-SP1:kf5-kcoreaddons-debuginfo-5.113.0-3.oe2403sp1.aarch64", "name":"kf5-kcoreaddons-debuginfo-5.113.0-3.oe2403sp1.aarch64 as a component of openEuler-24.03-LTS-SP1" }, "category":"default_component_of" }, { "relates_to_product_reference":"openEuler-24.03-LTS-SP1", "product_reference":"kf5-kcoreaddons-debugsource-5.113.0-3.oe2403sp1.aarch64.rpm", "full_product_name":{ "product_id":"openEuler-24.03-LTS-SP1:kf5-kcoreaddons-debugsource-5.113.0-3.oe2403sp1.aarch64", "name":"kf5-kcoreaddons-debugsource-5.113.0-3.oe2403sp1.aarch64 as a component of openEuler-24.03-LTS-SP1" }, "category":"default_component_of" }, { "relates_to_product_reference":"openEuler-24.03-LTS-SP1", "product_reference":"kf5-kcoreaddons-devel-5.113.0-3.oe2403sp1.aarch64.rpm", "full_product_name":{ "product_id":"openEuler-24.03-LTS-SP1:kf5-kcoreaddons-devel-5.113.0-3.oe2403sp1.aarch64", "name":"kf5-kcoreaddons-devel-5.113.0-3.oe2403sp1.aarch64 as a component of openEuler-24.03-LTS-SP1" }, "category":"default_component_of" }, { "relates_to_product_reference":"openEuler-24.03-LTS-SP1", "product_reference":"kf5-kcoreaddons-5.113.0-3.oe2403sp1.src.rpm", "full_product_name":{ "product_id":"openEuler-24.03-LTS-SP1:kf5-kcoreaddons-5.113.0-3.oe2403sp1.src", "name":"kf5-kcoreaddons-5.113.0-3.oe2403sp1.src as a component of openEuler-24.03-LTS-SP1" }, "category":"default_component_of" }, { "relates_to_product_reference":"openEuler-24.03-LTS-SP1", "product_reference":"kf5-kcoreaddons-5.113.0-3.oe2403sp1.x86_64.rpm", "full_product_name":{ "product_id":"openEuler-24.03-LTS-SP1:kf5-kcoreaddons-5.113.0-3.oe2403sp1.x86_64", "name":"kf5-kcoreaddons-5.113.0-3.oe2403sp1.x86_64 as a component of openEuler-24.03-LTS-SP1" }, "category":"default_component_of" }, { "relates_to_product_reference":"openEuler-24.03-LTS-SP1", "product_reference":"kf5-kcoreaddons-debuginfo-5.113.0-3.oe2403sp1.x86_64.rpm", "full_product_name":{ "product_id":"openEuler-24.03-LTS-SP1:kf5-kcoreaddons-debuginfo-5.113.0-3.oe2403sp1.x86_64", "name":"kf5-kcoreaddons-debuginfo-5.113.0-3.oe2403sp1.x86_64 as a component of openEuler-24.03-LTS-SP1" }, "category":"default_component_of" }, { "relates_to_product_reference":"openEuler-24.03-LTS-SP1", "product_reference":"kf5-kcoreaddons-debugsource-5.113.0-3.oe2403sp1.x86_64.rpm", "full_product_name":{ "product_id":"openEuler-24.03-LTS-SP1:kf5-kcoreaddons-debugsource-5.113.0-3.oe2403sp1.x86_64", "name":"kf5-kcoreaddons-debugsource-5.113.0-3.oe2403sp1.x86_64 as a component of openEuler-24.03-LTS-SP1" }, "category":"default_component_of" }, { "relates_to_product_reference":"openEuler-24.03-LTS-SP1", "product_reference":"kf5-kcoreaddons-devel-5.113.0-3.oe2403sp1.x86_64.rpm", "full_product_name":{ "product_id":"openEuler-24.03-LTS-SP1:kf5-kcoreaddons-devel-5.113.0-3.oe2403sp1.x86_64", "name":"kf5-kcoreaddons-devel-5.113.0-3.oe2403sp1.x86_64 as a component of openEuler-24.03-LTS-SP1" }, "category":"default_component_of" } ] }, "vulnerabilities":[ { "cve":"CVE-2026-41526", "notes":[ { "text":"In KDE KCoreAddons before 6.25, KShell::quoteArgs is intended to safely quote arguments so that they can be passed to a shell command. This parsing does not adequately handle metacharacters, leading to an escape from the shell. All applications relying on this method in a security-critical path to handle user input are affected and could be exploited. In particular, because sendInput() sends a string to a terminal, a control character such as \\x01 can be used during injection.", "category":"description", "title":"Vulnerability Description" } ], "product_status":{ "fixed":[ "openEuler-24.03-LTS-SP1:kf5-kcoreaddons-5.113.0-3.oe2403sp1.aarch64", "openEuler-24.03-LTS-SP1:kf5-kcoreaddons-debuginfo-5.113.0-3.oe2403sp1.aarch64", "openEuler-24.03-LTS-SP1:kf5-kcoreaddons-debugsource-5.113.0-3.oe2403sp1.aarch64", "openEuler-24.03-LTS-SP1:kf5-kcoreaddons-devel-5.113.0-3.oe2403sp1.aarch64", "openEuler-24.03-LTS-SP1:kf5-kcoreaddons-5.113.0-3.oe2403sp1.src", "openEuler-24.03-LTS-SP1:kf5-kcoreaddons-5.113.0-3.oe2403sp1.x86_64", "openEuler-24.03-LTS-SP1:kf5-kcoreaddons-debuginfo-5.113.0-3.oe2403sp1.x86_64", "openEuler-24.03-LTS-SP1:kf5-kcoreaddons-debugsource-5.113.0-3.oe2403sp1.x86_64", "openEuler-24.03-LTS-SP1:kf5-kcoreaddons-devel-5.113.0-3.oe2403sp1.x86_64" ] }, "remediations":[ { "product_ids":[ "openEuler-24.03-LTS-SP1:kf5-kcoreaddons-5.113.0-3.oe2403sp1.aarch64", "openEuler-24.03-LTS-SP1:kf5-kcoreaddons-debuginfo-5.113.0-3.oe2403sp1.aarch64", "openEuler-24.03-LTS-SP1:kf5-kcoreaddons-debugsource-5.113.0-3.oe2403sp1.aarch64", "openEuler-24.03-LTS-SP1:kf5-kcoreaddons-devel-5.113.0-3.oe2403sp1.aarch64", "openEuler-24.03-LTS-SP1:kf5-kcoreaddons-5.113.0-3.oe2403sp1.src", "openEuler-24.03-LTS-SP1:kf5-kcoreaddons-5.113.0-3.oe2403sp1.x86_64", "openEuler-24.03-LTS-SP1:kf5-kcoreaddons-debuginfo-5.113.0-3.oe2403sp1.x86_64", "openEuler-24.03-LTS-SP1:kf5-kcoreaddons-debugsource-5.113.0-3.oe2403sp1.x86_64", "openEuler-24.03-LTS-SP1:kf5-kcoreaddons-devel-5.113.0-3.oe2403sp1.x86_64" ], "details":"kf5-kcoreaddons security update", "category":"vendor_fix", "url":"https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2026-2604" } ], "scores":[ { "cvss_v3":{ "baseSeverity":"HIGH", "baseScore":7.8, "vectorString":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version":"3.1" }, "products":[ "openEuler-24.03-LTS-SP1:kf5-kcoreaddons-5.113.0-3.oe2403sp1.aarch64", "openEuler-24.03-LTS-SP1:kf5-kcoreaddons-debuginfo-5.113.0-3.oe2403sp1.aarch64", "openEuler-24.03-LTS-SP1:kf5-kcoreaddons-debugsource-5.113.0-3.oe2403sp1.aarch64", "openEuler-24.03-LTS-SP1:kf5-kcoreaddons-devel-5.113.0-3.oe2403sp1.aarch64", "openEuler-24.03-LTS-SP1:kf5-kcoreaddons-5.113.0-3.oe2403sp1.src", "openEuler-24.03-LTS-SP1:kf5-kcoreaddons-5.113.0-3.oe2403sp1.x86_64", "openEuler-24.03-LTS-SP1:kf5-kcoreaddons-debuginfo-5.113.0-3.oe2403sp1.x86_64", "openEuler-24.03-LTS-SP1:kf5-kcoreaddons-debugsource-5.113.0-3.oe2403sp1.x86_64", "openEuler-24.03-LTS-SP1:kf5-kcoreaddons-devel-5.113.0-3.oe2403sp1.x86_64" ] } ], "threats":[ { "details":"High", "category":"impact" } ], "title":"CVE-2026-41526" } ] }