CVE Catalog

CVE-2026-48700

Critical
Published: Translated: NVD NIST

Summary

All versions of PCManFM-Qt starting from 1.1.0 have an issue where a regular file's path passed as a URI in an org.freedesktop.FileManager1.ShowFolders D-Bus method call causes PCManFM-Qt to delegate to a different program without user confirmation. This could lead to code execution or circumventing network namespace restrictions.

Risk Assessment

The risk associated with this vulnerability is the potential for unauthorized code execution or network security breaches, which could have serious implications for the organization.

Recommendation

It is recommended to monitor and restrict the use of PCManFM-Qt in security-sensitive environments and consider implementing additional verification mechanisms before delegating tasks to other programs.

Original NVD description (English source)

An issue was discovered in all versions of PCManFM-Qt starting from 1.1.0. When a regular file's path is passed as a URI in an org.freedesktop.FileManager1.ShowFolders D-Bus method call, PCManFM-Qt delegates to a different program (based on the file type) without user confirmation. This could be used to achieve code execution or circumvent network namespace restrictions. NOTE: those outcomes are potentially unwanted by most users; however, the behavior of the product does comply with the applicable specification, and a simplistic solution (ensuring that the URI does not name a regular file) may have adverse consequences for I/O.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS