UBUNTU-CVE-2026-41525

See a problem?
Please try reporting it to the source first.

Source

https://ubuntu.com/security/CVE-2026-41525

Import Source

https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-41525.json

JSON Data

https://api.osv.dev/v1/vulns/UBUNTU-CVE-2026-41525

Upstream

CVE-2026-41525

Published

2026-04-28T08:16:00Z

Modified

2026-05-20T16:25:41.864274323Z

Severity

6.5 (Medium) CVSS_V3 - CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:L CVSS Calculator
Ubuntu - medium

Summary

[none]

Details

KDE Dolphin before 25.12.3 allows applications in a Flatpak (or with AppArmor confinement) to open folders outside of the application sandbox without additional scrutiny. Dolphin's implementation of the FileManager1 protocol allows the path given to be any type of file, including scripts or executables. (By default, Dolphin will then prompt the user to determine if they want to launch a script or executable; however, the intended behavior is to block the attempted action, not present a consent prompt.)

References

Affected packages

Ubuntu:16.04:LTS

dolphin

Package

Name: dolphin
Purl: pkg:deb/ubuntu/dolphin?arch=source&distro=xenial

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

4:15.*

4:15.08.2-0ubuntu1

4:15.12.1-0ubuntu1

4:15.12.3-0ubuntu1

Ecosystem specific

{
    "binaries": [
        {
            "binary_version": "4:15.12.3-0ubuntu1",
            "binary_name": "dolphin"
        },
        {
            "binary_version": "4:15.12.3-0ubuntu1",
            "binary_name": "libdolphinvcs5"
        }
    ]
}

Database specific

source

"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-41525.json"

Ubuntu:18.04:LTS

dolphin

Package

Name: dolphin
Purl: pkg:deb/ubuntu/dolphin?arch=source&distro=bionic

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

4:17.*

4:17.04.3-0ubuntu2

4:17.08.3-0ubuntu1

4:17.12.2-0ubuntu1

4:17.12.3-0ubuntu1

Ecosystem specific

{
    "binaries": [
        {
            "binary_version": "4:17.12.3-0ubuntu1",
            "binary_name": "dolphin"
        },
        {
            "binary_version": "4:17.12.3-0ubuntu1",
            "binary_name": "libdolphinvcs5"
        }
    ]
}

Database specific

source

"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-41525.json"

Ubuntu:20.04:LTS

dolphin

Package

Name: dolphin
Purl: pkg:deb/ubuntu/dolphin?arch=source&distro=focal

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

4:19.*

4:19.04.3-0ubuntu1

4:19.04.3-0ubuntu2

4:19.08.1-1ubuntu1

4:19.08.3-0ubuntu1

4:19.12.0-0ubuntu1

4:19.12.1-0ubuntu1

4:19.12.2-0ubuntu1

4:19.12.3-0ubuntu1

Ecosystem specific

{
    "binaries": [
        {
            "binary_version": "4:19.12.3-0ubuntu1",
            "binary_name": "dolphin"
        },
        {
            "binary_version": "4:19.12.3-0ubuntu1",
            "binary_name": "libdolphinvcs5"
        }
    ]
}

Database specific

source

"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-41525.json"

Ubuntu:22.04:LTS

dolphin

Package

Name: dolphin
Purl: pkg:deb/ubuntu/dolphin?arch=source&distro=jammy

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

4:21.*

4:21.08.1-1ubuntu1

4:21.08.3-0ubuntu1

4:21.11.80-0ubuntu1

4:21.11.90-0ubuntu2

4:21.12.0-0ubuntu1

4:21.12.1-0ubuntu1

4:21.12.2-0ubuntu1

4:21.12.2.1-0ubuntu1

4:21.12.3-0ubuntu1

Ecosystem specific

{
    "binaries": [
        {
            "binary_version": "4:21.12.3-0ubuntu1",
            "binary_name": "dolphin"
        },
        {
            "binary_version": "4:21.12.3-0ubuntu1",
            "binary_name": "libdolphinvcs5"
        }
    ]
}

Database specific

source

"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-41525.json"

Ubuntu:24.04:LTS

dolphin

Package

Name: dolphin
Purl: pkg:deb/ubuntu/dolphin?arch=source&distro=noble

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

4:23.*

4:23.08.1-0ubuntu1

4:23.08.2-0ubuntu1

4:23.08.3-0ubuntu1

4:23.08.4-0ubuntu1

4:23.08.5-0ubuntu1

4:23.08.5-0ubuntu2

4:23.08.5-0ubuntu3

4:23.08.5-0ubuntu4

Ecosystem specific

{
    "binaries": [
        {
            "binary_version": "4:23.08.5-0ubuntu4",
            "binary_name": "dolphin"
        },
        {
            "binary_version": "4:23.08.5-0ubuntu4",
            "binary_name": "libdolphinvcs5"
        }
    ]
}

Database specific

source

"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-41525.json"

Ubuntu:25.10

dolphin

Package

Name: dolphin
Purl: pkg:deb/ubuntu/dolphin?arch=source&distro=questing

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

4:24.*

4:24.12.3-0ubuntu2

4:25.*

4:25.04.0-0ubuntu1

4:25.04.1-0ubuntu1

4:25.04.2-0ubuntu1

4:25.04.2-1ubuntu1

4:25.04.3-0ubuntu1

4:25.07.80-0ubuntu1

4:25.07.90-0ubuntu1

4:25.08.0-0ubuntu1

4:25.08.1-0ubuntu1

4:25.08.1-0ubuntu2

Ecosystem specific

{
    "binaries": [
        {
            "binary_version": "4:25.08.1-0ubuntu2",
            "binary_name": "dolphin"
        },
        {
            "binary_version": "4:25.08.1-0ubuntu2",
            "binary_name": "dolphin-data"
        },
        {
            "binary_version": "4:25.08.1-0ubuntu2",
            "binary_name": "libdolphinvcs6"
        }
    ]
}

Database specific

source

"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-41525.json"

Ubuntu:26.04:LTS

dolphin

Package

Name: dolphin
Purl: pkg:deb/ubuntu/dolphin?arch=source&distro=resolute

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

4:25.*

4:25.08.1-0ubuntu2

4:25.08.2-0ubuntu1

4:25.08.3-0ubuntu1

4:25.08.3-0ubuntu2

4:25.11.80-0ubuntu1

4:25.11.90-0ubuntu1

4:25.12.0-0ubuntu1

4:25.12.1-0ubuntu1

4:25.12.1-1ubuntu1

4:25.12.1-1ubuntu2

4:25.12.2-0ubuntu1

4:25.12.2-0ubuntu2

4:25.12.3-0ubuntu1

Ecosystem specific

{
    "binaries": [
        {
            "binary_version": "4:25.12.3-0ubuntu1",
            "binary_name": "dolphin"
        },
        {
            "binary_version": "4:25.12.3-0ubuntu1",
            "binary_name": "dolphin-data"
        },
        {
            "binary_version": "4:25.12.3-0ubuntu1",
            "binary_name": "libdolphinvcs6"
        }
    ]
}

Database specific

source

"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-41525.json"