High severity8.2NVD Advisory· Published Jun 11, 2025· Updated Apr 15, 2026

CVE-2025-49091

Description

KDE Konsole before 25.04.2 allows remote code execution in a certain scenario. It supports loading URLs from the scheme handlers such as a ssh:// or telnet:// or rlogin:// URL. This can be executed regardless of whether the ssh, telnet, or rlogin binary is available. In this mode, there is a code path where if that binary is not available, Konsole falls back to using /bin/bash for the given arguments (i.e., the URL) provided. This allows an attacker to execute arbitrary code.

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

invent.kde.org/utilities/konsole/-/commit/09d20dea109050b4c02fb73095f327b5642a2b75nvd
invent.kde.org/utilities/konsole/-/tagsnvd
kde.org/info/security/advisory-20250609-1.txtnvd
konsole.kde.org/changelog.htmlnvd
lists.debian.org/debian-lts-announce/2025/06/msg00019.htmlnvd
proofnet.de/publikationen/konsole_rce.htmlnvd
www.openwall.com/lists/oss-security/2025/06/10/5nvd

News mentions

No linked articles in our index yet.

cvss	0.533
epss	0.001
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000