{"id":"CVE-2026-48700","details":"An issue was discovered in all versions of PCManFM-Qt starting from 1.1.0. When a regular file's path is passed as a URI in an org.freedesktop.FileManager1.ShowFolders D-Bus method call, PCManFM-Qt delegates to a different program (based on the file type) without user confirmation. This could be used to achieve code execution or circumvent network namespace restrictions. NOTE: those outcomes are potentially unwanted by most users; however, the behavior of the product does comply with the applicable specification, and a simplistic solution (ensuring that the URI does not name a regular file) may have adverse consequences for I/O.","modified":"2026-07-08T08:05:28.812982551Z","published":"2026-05-22T18:43:05.549Z","database_specific":{"cwe_ids":["CWE-913"],"cna_assigner":"mitre","isDisputed":true,"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/48xxx/CVE-2026-48700.json"},"references":[{"type":"WEB","url":"http://www.openwall.com/lists/oss-security/2026/05/24/6"},{"type":"WEB","url":"https://www.openwall.com/lists/oss-security/2026/05/19/1"},{"type":"WEB","url":"https://www.openwall.com/lists/oss-security/2026/05/20/2"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/48xxx/CVE-2026-48700.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-48700"},{"type":"PACKAGE","url":"https://github.com/lxqt/pcmanfm-qt"},{"type":"PACKAGE","url":"https://github.com/lxqt/pcmanfm-qt/releases"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/lxqt/pcmanfm-qt","events":[{"introduced":"031f41d29f00264c7d42ad20946aa3c86b67fbfe"},{"last_affected":"8c4715a327170c20e7d7f3088e9cdc29ca485ba0"}],"database_specific":{"source":"AFFECTED_FIELD","extracted_events":[{"introduced":"1.1.0"},{"last_affected":"2.4.0"}]}}],"versions":["2.4.0","2.3.0","2.2.0","2.1.0","2.0.0","1.4.1","1.4.0","1.3.0","1.2.1","1.2.0","1.1.0"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-48700.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V4","score":"CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/AU:N/R:I/V:D/RE:M/U:Clear"}]}