Medium severity6.8NVD Advisory· Published Feb 7, 2018· Updated Jun 17, 2026
CVE-2018-6791
CVE-2018-6791
Description
An issue was discovered in soliduiserver/deviceserviceaction.cpp in KDE Plasma Workspace before 5.12.0. When a vfat thumbdrive that contains `` or $() in its volume label is plugged in and mounted through the device notifier, it's interpreted as a shell command, leading to a possibility of arbitrary command execution. An example of an offending volume label is "$(touch b)" -- this will create a file called b in the home folder.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
2- Range: <5.12.0
Patches
Vulnerability mechanics
References
3- bugs.kde.org/show_bug.cginvdIssue TrackingVendor Advisory
- cgit.kde.org/plasma-workspace.git/commit/nvdVendor Advisory
- www.debian.org/security/2018/dsa-4116nvdThird Party Advisory
News mentions
0No linked articles in our index yet.