KDE Project Security Advisory
=============================

Title:           KShell: Incorrect command line parsing
Risk rating:     Major
CVE:             CVE-2026-41526
Versions:        KCoreAddons < 6.25
Date:            27 April 2026

Overview
========

Several KDE applications use the function sendInput() together with
KShell::quoteArg() to pass user-supplied input to arbitrary shell
commands.
KShell::quoteArg() treats input enclosed in single quotes as safe by
default. However, sendInput() forwards the resulting string to the
terminal without additional validation or escaping. By embedding
control characters such as \x01 (start-of-heading), an attacker can
break out of the single-quoted context and inject additional shell
metacharacters.

This allows crafted input to result in unintended command execution in
contexts where users expect only literal text to be inserted.

Dolphin (when using the embedded terminal) and Kate (when using the
embedded terminal) are notably affected.

Impact
======

An attacker can craft specially formed input that leads to command
injection in terminal sessions. If a victim pastes or opens
manipulated content in affected applications, arbitrary shell commands
may be executed with the privileges of the user.

Workaround
==========

None.

Solution
========

Either:
 - Update KCoreAddons to version 6.25 or later.
 - Apply the patch https://invent.kde.org/frameworks/kcoreaddons/-/commit/6153c9ae025fa570174bb4a143df38fa2f46606b


Credits
=======

Thanks to Felix Boulet for reporting the issue and Tobias Fella for providing the patch.