XFCE 4.16 allows attackers to execute arbitrary code because xdg-open can execute a .desktop file on an attacker-controlled FTP server.
{
"osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2022/32xxx/CVE-2022-32278.json",
"cna_assigner": "mitre"
}{
"source": [
"CPE_RANGE",
"REFERENCES"
],
"cpe": "cpe:2.3:a:xfce:exo:*:*:*:*:*:*:*:*",
"extracted_events": [
{
"introduced": "0"
},
{
"fixed": "4.16.4"
},
{
"introduced": "4.17.0"
},
{
"fixed": "4.17.2"
}
]
}"2026-07-09T05:17:44Z"
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2022-32278.json"
[
{
"id": "CVE-2022-32278-bcd63f95",
"digest": {
"function_hash": "65182670254996745520488544014872230155",
"length": 1092.0
},
"signature_version": "v1",
"signature_type": "Function",
"source": "https://gitlab.xfce.org/xfce/exo@c71c04ff5882b2866a0d8506fb460d4ef796de9f",
"deprecated": false,
"target": {
"function": "exo_open_launch_desktop_file",
"file": "exo-open/main.c"
}
},
{
"id": "CVE-2022-32278-f6634d0a",
"digest": {
"line_hashes": [
"317075828566434803374487862172180080712",
"234380134646955126268904282729473183340",
"75042849870077933110780251556200223641"
],
"threshold": 0.9
},
"signature_version": "v1",
"signature_type": "Line",
"source": "https://gitlab.xfce.org/xfce/exo@c71c04ff5882b2866a0d8506fb460d4ef796de9f",
"deprecated": false,
"target": {
"file": "exo-open/main.c"
}
}
]