{"id":"CVE-2024-42029","details":"xdg-desktop-portal-hyprland (aka an XDG Desktop Portal backend for Hyprland) before 1.3.3 allows OS command execution, e.g., because single quotes are not used when sending a list of app IDs and titles via the environment.","modified":"2026-04-12T10:53:09.336452Z","published":"2024-07-27T04:15:02.760Z","references":[{"type":"WEB","url":"https://github.com/hyprwm/xdg-desktop-portal-hyprland/releases/tag/v1.3.3"},{"type":"REPORT","url":"https://github.com/hyprwm/xdg-desktop-portal-hyprland/issues/242"},{"type":"FIX","url":"https://github.com/hyprwm/xdg-desktop-portal-hyprland/commit/0bb709491baffd69f4f861802f00cf60c77cc2cd"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/hyprwm/xdg-desktop-portal-hyprland","events":[{"introduced":"0"},{"fixed":"663be9cad424b170b28b9fa8a61042d721007f3b"},{"fixed":"0bb709491baffd69f4f861802f00cf60c77cc2cd"}],"database_specific":{"versions":[{"introduced":"0"},{"fixed":"1.3.3"}]}}],"versions":["v0.1.0","v0.2.0","v0.2.1","v0.3.0","v0.3.1","v0.4.0","v0.5.0","v1.0.0","v1.1.0","v1.2.0","v1.2.1","v1.2.2","v1.2.3","v1.2.4","v1.2.5","v1.2.6","v1.3.0","v1.3.1","v1.3.2"],"database_specific":{"vanir_signatures_modified":"2026-04-12T10:53:09Z","source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-42029.json","vanir_signatures":[{"deprecated":false,"id":"CVE-2024-42029-0d0da702","signature_version":"v1","signature_type":"Function","target":{"file":"src/shared/ScreencopyShared.cpp","function":"sanitizeNameForWindowList"},"source":"https://github.com/hyprwm/xdg-desktop-portal-hyprland/commit/0bb709491baffd69f4f861802f00cf60c77cc2cd","digest":{"function_hash":"339824184505221654862837895756808425377","length":295}},{"deprecated":false,"id":"CVE-2024-42029-615c8cbb","signature_version":"v1","signature_type":"Function","target":{"file":"src/portals/Screenshot.cpp","function":"CScreenshotPortal::onScreenshot"},"source":"https://github.com/hyprwm/xdg-desktop-portal-hyprland/commit/0bb709491baffd69f4f861802f00cf60c77cc2cd","digest":{"function_hash":"226988745604055160673845921031300067154","length":1141}},{"deprecated":false,"id":"CVE-2024-42029-6ac23960","signature_version":"v1","signature_type":"Line","target":{"file":"src/shared/ScreencopyShared.cpp"},"source":"https://github.com/hyprwm/xdg-desktop-portal-hyprland/commit/0bb709491baffd69f4f861802f00cf60c77cc2cd","digest":{"threshold":0.9,"line_hashes":["263353676725836984454338072864965789616","267385591937378893114695760875548620478","162445810971826390043729114434286489498","159529140581881390253434995123153536832","22419902531322941293705666853242338747","260115692627439796104343584620224222531","4308625417775660837253756440118071176","38343150690842652122549721831897302629","156430145538550124046286059626466844354"]}},{"deprecated":false,"id":"CVE-2024-42029-6e2ca064","signature_version":"v1","signature_type":"Line","target":{"file":"src/portals/Screencopy.cpp"},"source":"https://github.com/hyprwm/xdg-desktop-portal-hyprland/commit/0bb709491baffd69f4f861802f00cf60c77cc2cd","digest":{"threshold":0.9,"line_hashes":["22236800427479599331756703542064575390","153693121718848738332313764025811101925","300172920906603010037492998758735839327","336024901254686825919957240940457792278"]}},{"deprecated":false,"id":"CVE-2024-42029-c45daa2e","signature_version":"v1","signature_type":"Line","target":{"file":"src/shared/ScreencopyShared.hpp"},"source":"https://github.com/hyprwm/xdg-desktop-portal-hyprland/commit/0bb709491baffd69f4f861802f00cf60c77cc2cd","digest":{"threshold":0.9,"line_hashes":["236544608746723644571968326095784264585","72665977629219456687345857466537189155","242969042309093449442284878386152926046","57223873975587882599277000252735014100","296199707000582846300893121350927773266"]}},{"deprecated":false,"id":"CVE-2024-42029-e6514538","signature_version":"v1","signature_type":"Line","target":{"file":"src/helpers/Log.hpp"},"source":"https://github.com/hyprwm/xdg-desktop-portal-hyprland/commit/0bb709491baffd69f4f861802f00cf60c77cc2cd","digest":{"threshold":0.9,"line_hashes":["101103267360459191430588124871542855495","190281958750636965079634839616893945663","274678928264551362284413814191892410366","3449922670485100075204978239567409239","248178104946905635616142211136115950646","110657868155716707247872920496092106763","75617608514168065846690318934222645158","136704257797979985496903033377381172105","136728006112097361984273699499486809153"]}},{"deprecated":false,"id":"CVE-2024-42029-e88c15fa","signature_version":"v1","signature_type":"Function","target":{"file":"src/shared/ScreencopyShared.cpp","function":"promptForScreencopySelection"},"source":"https://github.com/hyprwm/xdg-desktop-portal-hyprland/commit/0bb709491baffd69f4f861802f00cf60c77cc2cd","digest":{"function_hash":"53969150223300511150468630837663550661","length":2401}},{"deprecated":false,"id":"CVE-2024-42029-f86b413a","signature_version":"v1","signature_type":"Line","target":{"file":"src/portals/Screenshot.cpp"},"source":"https://github.com/hyprwm/xdg-desktop-portal-hyprland/commit/0bb709491baffd69f4f861802f00cf60c77cc2cd","digest":{"threshold":0.9,"line_hashes":["38282054404288652055878473809753785275","335050272739078331988220467684294530723","209193135884993318914254567970286257673","230060244792769958480231059943350723572","19142846056624570894709099800986078332","63916027592623899689708360647275086211","306819543869685256433155915862682751670","325607819160316271825753244741670355739","324787880936985428514095896572894831530","276029557463020489394897244836861132496","304978318538451508759437018186902311894","263963613143031026094373369523069587359","225934950136995995273726719329961993895","324090524719508611010354660463528396766","94797437216311493141661686009749205172","148731127540347652901856742039849290201","10950153470404941461684985116022230876","10602845271067801644232351782510893485","24322258622387066722367968282215476523","81759145937571033914036077902484902962","88217685472019319954756158843038962145","207526173658531031556546653665461400706","277689663708399266848029713645882304574","126620767343770445970461985287548832069","63255683396406838921355557431676312090","47913797360004250095460945866744802688","6465928612338906098569569799284656680"]}}]}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L"}]}