CVE-2025-49091

Published Jun 11, 2025

Last updated a month ago

CVSS high 8.2

Overview

Description
KDE Konsole before 25.04.2 allows remote code execution in a certain scenario. It supports loading URLs from the scheme handlers such as a ssh:// or telnet:// or rlogin:// URL. This can be executed regardless of whether the ssh, telnet, or rlogin binary is available. In this mode, there is a code path where if that binary is not available, Konsole falls back to using /bin/bash for the given arguments (i.e., the URL) provided. This allows an attacker to execute arbitrary code.
Source
cve@mitre.org
NVD status
Awaiting Analysis

Risk scores

CVSS 3.1

Type
Secondary
Base score
8.2
Impact score
6
Exploitability score
1.6
Vector string
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:L
Severity
HIGH

Weaknesses

cve@mitre.org
CWE-670

Social media

Hype score
Not currently trending

  1. #AppSec #Cloud_Security 1. Attacking JWT using X.509 Certificates https://t.co/EgeAzHONPT 2. Code execution from web browser using URL schemes handled by KDE's KTelnetService and Konsole (CVE-2025-49091) https://t.co/iDtwNMERnD 3. A vulnerability in Real User Monitoring feature

    @ksg93rd

    5 Jul 2025

    163 Impressions

    0 Retweets

    1 Like

    0 Bookmarks

    0 Replies

    0 Quotes

  2. CVE-2025-49091: Vulnerabilidad RCE en KDE Konsole permite ejecución remota desde el navegador usando esquemas telnet:// https://t.co/FpXrIMvXtJ

    @Error400cl

    1 Jul 2025

    0 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  3. Grave vulnerabilidad en Konsole permite ejecutar código con solo abrir una página web https://t.co/DhgYO7YswW Hace pocos días se dio a conocer información sobre una vulnerabilidad crítica, la cual fue identificada bajo «CVE-2025-49091«. Esta vulnerabilidad descubierta en

    @laboratoriolinu

    30 Jun 2025

    22 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  4. KDE Konsoleに重大(Critical)(笑)な脆弱性。CVE-2025-49091はtelnet://等のスキームハンドラにおいて、telnetが使用できない場合に、指定された引数でbashにフォールバックするというもの。なお、ブラウザは通常外部ス

    @__kokumoto

    11 Jun 2025

    467 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  5. CVE-2025-49091 KDE Konsole before 25.04.2 allows remote code execution in a certain scenario. It supports loading URLs from the scheme handlers such as a ssh:// or telnet:// or rlog… https://t.co/PQOQcFMIod

    @CVEnew

    11 Jun 2025

    611 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  6. CVE-2025-49091 CVE-2025-49091 https://t.co/8ZaHlZqqfZ

    @VulmonFeeds

    10 Jun 2025

    20 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  7. Code execution from web browser using URL schemes handled by KDE's KTelnetService and Konsole (CVE-2025-49091) https://t.co/0or836bxdS https://t.co/GB9OWBebEa

    @secharvesterx

    10 Jun 2025

    23 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

References

Sources include official advisories and independent security research.