An update for kf5-kcoreaddons is now available for openEuler-24.03-LTS-SP1 Security Advisory openeuler-security@openeuler.org openEuler security committee openEuler-SA-2026-2604 Final 1.0 1.0 2026-06-05 Initial 2026-06-05 2026-06-05 openEuler SA Tool V1.0 2026-06-05 kf5-kcoreaddons security update An update for kf5-kcoreaddons is now available for openEuler-24.03-LTS-SP1 KCoreAddons provides classes built on top of QtCore to perform various tasks such as manipulating mime types, autosaving files, creating backup files, generating random sequences, performing text manipulations such as macro replacement, accessing user information and many more. Security Fix(es): In KDE KCoreAddons before 6.25, KShell::quoteArgs is intended to safely quote arguments so that they can be passed to a shell command. This parsing does not adequately handle metacharacters, leading to an escape from the shell. All applications relying on this method in a security-critical path to handle user input are affected and could be exploited. In particular, because sendInput() sends a string to a terminal, a control character such as \x01 can be used during injection.(CVE-2026-41526) An update for kf5-kcoreaddons is now available for openEuler-24.03-LTS-SP1. openEuler Security has rated this update as having a security impact of high. A Common Vunlnerability Scoring System(CVSS)base score,which gives a detailed severity rating, is available for each vulnerability from the CVElink(s) in the References section. High kf5-kcoreaddons https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2026-2604 https://www.openeuler.org/en/security/cve/detail/?cveId=CVE-2026-41526 https://nvd.nist.gov/vuln/detail/CVE-2026-41526 openEuler-24.03-LTS-SP1 kf5-kcoreaddons-5.113.0-3.oe2403sp1.aarch64.rpm kf5-kcoreaddons-debuginfo-5.113.0-3.oe2403sp1.aarch64.rpm kf5-kcoreaddons-debugsource-5.113.0-3.oe2403sp1.aarch64.rpm kf5-kcoreaddons-devel-5.113.0-3.oe2403sp1.aarch64.rpm kf5-kcoreaddons-5.113.0-3.oe2403sp1.src.rpm kf5-kcoreaddons-5.113.0-3.oe2403sp1.x86_64.rpm kf5-kcoreaddons-debuginfo-5.113.0-3.oe2403sp1.x86_64.rpm kf5-kcoreaddons-debugsource-5.113.0-3.oe2403sp1.x86_64.rpm kf5-kcoreaddons-devel-5.113.0-3.oe2403sp1.x86_64.rpm In KDE KCoreAddons before 6.25, KShell::quoteArgs is intended to safely quote arguments so that they can be passed to a shell command. This parsing does not adequately handle metacharacters, leading to an escape from the shell. All applications relying on this method in a security-critical path to handle user input are affected and could be exploited. In particular, because sendInput() sends a string to a terminal, a control character such as \x01 can be used during injection. 2026-06-05 CVE-2026-41526 openEuler-24.03-LTS-SP1 High 7.8 AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H kf5-kcoreaddons security update 2026-06-05 https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2026-2604