KDE Project Security Advisory
=============================

Title:          Kdenlive: Remote code execution via malicious project file
Risk Rating:    High
CVE:            CVE-2026-45184
Versions:       kdenlive < 26.04.1
Author:         Jean-Baptiste Mardelle <jb@kdenlive.org>
Date:           8 May 2026

Overview
========

Kdenlive didn't do a proper validation of some parameters in project files. A specifically prepared malicious project file could lead to remote code execution just by opening it in Kdenlive.

Impact
======

Opening a malicious project file in Kdenlive could lead to remote code execution or file exfiltration.

Workaround
==========

Do not open a project file that was created by someone else.

Solution
========

Update to Kdenlive >= 26.04.1
Or apply these two patches
https://commits.kde.org/kdenlive/94042ddd259551e4a7a5f6672329752972c84685
https://commits.kde.org/kdenlive/c3999aacc6da54756f3df8aab03b900459562ecd

Credits
=======

Thanks to Edoardo Geraci and Radically Open Security