NIXPKGS-2026-1288

GitHub issue published on

Permalink CVE-2026-41525

6.5 MEDIUM

CVSS version: 3.1
Attack vector (AV): LOCAL
Attack complexity (AC): HIGH
Privileges required (PR): NONE
User interaction (UI): REQUIRED
Scope (S): UNCHANGED
Confidentiality impact (C): HIGH
Integrity impact (I): HIGH
Availability impact (A): LOW

updated 11 hours ago by @LeSuisse Activity log

Created suggestion 17 hours ago
@LeSuisse ignored
2 references
- https://invent.kde.org/system/dolphin/
- https://github.com/KDE/dolphin/releases…
11 hours ago
@LeSuisse ignored
5 packages
- dolphin-emu
- libretro.dolphin
- dolphin-emu-primehack
- kdePackages.dolphin-plugins
- opencloud-desktop-shell-integration-dolphin
11 hours ago
@LeSuisse accepted 11 hours ago
@LeSuisse published on GitHub 11 hours ago

KDE Dolphin before 25.12.3 allows applications in a Flatpak (or …

KDE Dolphin before 25.12.3 allows applications in a Flatpak (or with AppArmor confinement) to open folders outside of the application sandbox without additional scrutiny. Dolphin's implementation of the FileManager1 protocol allows the path given to be any type of file, including scripts or executables. (By default, Dolphin will then prompt the user to determine if they want to launch a script or executable; however, the intended behavior is to block the attempted action, not present a consent prompt.)

References

https://kde.org/info/security/advisory-20260427-2.txt

Ignored references (2)

Affected products

Dolphin

<25.12.3

Matching in nixpkgs

pkgs.kdePackages.dolphin

File manager by KDE

nixos-unstable 26.04.0
- nixpkgs-unstable 26.04.0
- nixos-unstable-small 26.04.0
nixos-25.11 25.08.3
- nixos-25.11-small 25.08.3
- nixpkgs-25.11-darwin 25.08.3

Ignored packages (5)

pkgs.dolphin-emu

Gamecube/Wii/Triforce emulator for x86_64 and ARMv8

nixos-unstable 2603a
- nixpkgs-unstable 2603a
- nixos-unstable-small 2603a
nixos-25.11 2512
- nixos-25.11-small 2512
- nixpkgs-25.11-darwin 2512

pkgs.libretro.dolphin

Port of Dolphin to libretro

nixos-unstable 0-unstable-2025-08-05
- nixpkgs-unstable 0-unstable-2025-08-05
- nixos-unstable-small 0-unstable-2025-08-05
nixos-25.11 0-unstable-2025-08-05
- nixos-25.11-small 0-unstable-2025-08-05
- nixpkgs-25.11-darwin 0-unstable-2025-08-05

pkgs.dolphin-emu-primehack

Gamecube/Wii/Triforce emulator for x86_64 and ARMv8

nixos-unstable 1.0.8
- nixpkgs-unstable 1.0.8
- nixos-unstable-small 1.0.8
nixos-25.11 1.0.8
- nixos-25.11-small 1.0.8
- nixpkgs-25.11-darwin 1.0.8

pkgs.kdePackages.dolphin-plugins

Plugins for Dolphin

nixos-unstable 26.04.0
- nixpkgs-unstable 26.04.0
- nixos-unstable-small 26.04.0
nixos-25.11 25.08.3
- nixos-25.11-small 25.08.3
- nixpkgs-25.11-darwin 25.08.3

pkgs.opencloud-desktop-shell-integration-dolphin

OpenCloud Desktop shell integration for the great KDE Dolphin in KDE Frameworks 6

nixos-unstable 1.0.0
- nixpkgs-unstable 1.0.0
- nixos-unstable-small 1.0.0
nixos-25.11 1.0.0
- nixos-25.11-small 1.0.0
- nixpkgs-25.11-darwin 1.0.0

Package maintainers

@nyanloutre Paul Trehiou <paul@nyanlout.re>
@peterhoeg Peter Hoeg <peter@hoeg.com>
@NickCao Nick Cao <nickcao@nichi.co>
@ilya-fedin Ilya Fedin <fedin-ilja2010@ya.ru>
@FRidh Frederik Rietdijk <fridh@fridh.nl>
@bkchr Bastian Köcher <nixos@kchr.de>
@LunNova Luna Nova <nixpkgs-maintainer@lunnova.dev>
@mjm Matt Moriarity <matt@mattmoriarity.com>
@K900 Ilya K. <me@0upti.me>
@ttuegel Thomas Tuegel <ttuegel@mailbox.org>
@SuperSandro2000 Sandro Jäckel <sandro.jaeckel@gmail.com>

Nixpkgs security tracker

Details of issue NIXPKGS-2026-1288