VYPR
← All advisories
Unrated severityNVD Advisory· Published Feb 6, 2014· Updated Apr 29, 2026

CVE-2013-6486

CVE-2013-6486

Description

Pidgin before 2.10.8 on Windows mishandles file: URLs in messages, allowing remote code execution via crafted explorer.exe command.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Pidgin before 2.10.8 on Windows mishandles file: URLs in messages, allowing remote code execution via crafted explorer.exe command.

Vulnerability

In gtkutils.c of Pidgin versions prior to 2.10.8 on Windows, a user-assisted remote attacker can execute arbitrary programs by sending a message containing a specially crafted file: URL. The vulnerability exists because the code does not properly sanitize the URL when constructing an explorer.exe command, leading to command injection. This is an incomplete fix for CVE-2011-3185. [1]

Exploitation

An attacker must send a chat or instant message containing a malformed file: URL to a victim running Pidgin on Windows. The victim only needs to view the message; no additional user interaction with the link is required for the payload to trigger, as the application attempts to construct and execute an explorer.exe command with the unsanitized input. [1]

Impact

Successful exploitation allows the attacker to execute arbitrary programs with the privileges of the victim user. This can lead to full system compromise, data theft, or installation of malware. The attack vector is remote and user-assisted, requiring the victim to be running the vulnerable version on Windows. [1]

Mitigation

Pidgin 2.10.8, released on 2014-02-06, fixes the vulnerability by properly escaping the file: URL before constructing the command. Users should upgrade to version 2.10.8 or later. No workaround is available for older versions. The vulnerability is not listed in CISA's Known Exploited Vulnerabilities catalog. [1]

References
  1. Making sure you're not a bot!

AI Insight generated on May 24, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

54
  • Pidgin (software)/Pidgin54 versions
    cpe:2.3:a:pidgin:pidgin:*:*:*:*:*:*:*:*+ 53 more
    • cpe:2.3:a:pidgin:pidgin:*:*:*:*:*:*:*:*range: <=2.10.7
    • cpe:2.3:a:pidgin:pidgin:2.0.0:*:*:*:*:*:*:*
    • cpe:2.3:a:pidgin:pidgin:2.0.1:*:*:*:*:*:*:*
    • cpe:2.3:a:pidgin:pidgin:2.0.2:*:*:*:*:*:*:*
    • cpe:2.3:a:pidgin:pidgin:2.1.0:*:*:*:*:*:*:*
    • cpe:2.3:a:pidgin:pidgin:2.10.0:*:*:*:*:*:*:*
    • cpe:2.3:a:pidgin:pidgin:2.10.1:*:*:*:*:*:*:*
    • cpe:2.3:a:pidgin:pidgin:2.10.2:*:*:*:*:*:*:*
    • cpe:2.3:a:pidgin:pidgin:2.10.3:*:*:*:*:*:*:*
    • cpe:2.3:a:pidgin:pidgin:2.10.4:*:*:*:*:*:*:*
    • cpe:2.3:a:pidgin:pidgin:2.10.5:*:*:*:*:*:*:*
    • cpe:2.3:a:pidgin:pidgin:2.10.6:*:*:*:*:*:*:*
    • cpe:2.3:a:pidgin:pidgin:2.1.1:*:*:*:*:*:*:*
    • cpe:2.3:a:pidgin:pidgin:2.2.0:*:*:*:*:*:*:*
    • cpe:2.3:a:pidgin:pidgin:2.2.1:*:*:*:*:*:*:*
    • cpe:2.3:a:pidgin:pidgin:2.2.2:*:*:*:*:*:*:*
    • cpe:2.3:a:pidgin:pidgin:2.3.0:*:*:*:*:*:*:*
    • cpe:2.3:a:pidgin:pidgin:2.3.1:*:*:*:*:*:*:*
    • cpe:2.3:a:pidgin:pidgin:2.4.0:*:*:*:*:*:*:*
    • cpe:2.3:a:pidgin:pidgin:2.4.1:*:*:*:*:*:*:*
    • cpe:2.3:a:pidgin:pidgin:2.4.2:*:*:*:*:*:*:*
    • cpe:2.3:a:pidgin:pidgin:2.4.3:*:*:*:*:*:*:*
    • cpe:2.3:a:pidgin:pidgin:2.5.0:*:*:*:*:*:*:*
    • cpe:2.3:a:pidgin:pidgin:2.5.1:*:*:*:*:*:*:*
    • cpe:2.3:a:pidgin:pidgin:2.5.2:*:*:*:*:*:*:*
    • cpe:2.3:a:pidgin:pidgin:2.5.3:*:*:*:*:*:*:*
    • cpe:2.3:a:pidgin:pidgin:2.5.4:*:*:*:*:*:*:*
    • cpe:2.3:a:pidgin:pidgin:2.5.5:*:*:*:*:*:*:*
    • cpe:2.3:a:pidgin:pidgin:2.5.6:*:*:*:*:*:*:*
    • cpe:2.3:a:pidgin:pidgin:2.5.7:*:*:*:*:*:*:*
    • cpe:2.3:a:pidgin:pidgin:2.5.8:*:*:*:*:*:*:*
    • cpe:2.3:a:pidgin:pidgin:2.5.9:*:*:*:*:*:*:*
    • cpe:2.3:a:pidgin:pidgin:2.6.0:*:*:*:*:*:*:*
    • cpe:2.3:a:pidgin:pidgin:2.6.1:*:*:*:*:*:*:*
    • cpe:2.3:a:pidgin:pidgin:2.6.2:*:*:*:*:*:*:*
    • cpe:2.3:a:pidgin:pidgin:2.6.3:*:*:*:*:*:*:*
    • cpe:2.3:a:pidgin:pidgin:2.6.4:*:*:*:*:*:*:*
    • cpe:2.3:a:pidgin:pidgin:2.6.5:*:*:*:*:*:*:*
    • cpe:2.3:a:pidgin:pidgin:2.6.6:*:*:*:*:*:*:*
    • cpe:2.3:a:pidgin:pidgin:2.7.0:*:*:*:*:*:*:*
    • cpe:2.3:a:pidgin:pidgin:2.7.1:*:*:*:*:*:*:*
    • cpe:2.3:a:pidgin:pidgin:2.7.10:*:*:*:*:*:*:*
    • cpe:2.3:a:pidgin:pidgin:2.7.11:*:*:*:*:*:*:*
    • cpe:2.3:a:pidgin:pidgin:2.7.2:*:*:*:*:*:*:*
    • cpe:2.3:a:pidgin:pidgin:2.7.3:*:*:*:*:*:*:*
    • cpe:2.3:a:pidgin:pidgin:2.7.4:*:*:*:*:*:*:*
    • cpe:2.3:a:pidgin:pidgin:2.7.5:*:*:*:*:*:*:*
    • cpe:2.3:a:pidgin:pidgin:2.7.6:*:*:*:*:*:*:*
    • cpe:2.3:a:pidgin:pidgin:2.7.7:*:*:*:*:*:*:*
    • cpe:2.3:a:pidgin:pidgin:2.7.8:*:*:*:*:*:*:*
    • cpe:2.3:a:pidgin:pidgin:2.7.9:*:*:*:*:*:*:*
    • cpe:2.3:a:pidgin:pidgin:2.8.0:*:*:*:*:*:*:*
    • cpe:2.3:a:pidgin:pidgin:2.9.0:*:*:*:*:*:*:*
    • (no CPE)range: <2.10.8

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

5

News mentions

0

No linked articles in our index yet.