CVE-2026-48700 - Vulnerability Details

- Privilege Escalation via D‑Bus ShowFolders Call in PCManFM-Qt

Description

An issue was discovered in all versions of PCManFM-Qt starting from 1.1.0. When a regular file's path is passed as a URI in an org.freedesktop.FileManager1.ShowFolders D-Bus method call, PCManFM-Qt delegates to a different program (based on the file type) without user confirmation. This could be used to achieve code execution or circumvent network namespace restrictions. NOTE: those outcomes are potentially unwanted by most users; however, the behavior of the product does comply with the applicable specification, and a simplistic solution (ensuring that the URI does not name a regular file) may have adverse consequences for I/O.

Published: 2026-05-22

Score: 9.3 Critical

EPSS: n/a

KEV: No

Impact:

Action:

Analysis

Impact

All current versions of PCManFM‑Qt from 1.1.0 onward admit a routine file path as a URI to the D‑Bus org.freedesktop.FileManager1.ShowFolders method. The file manager forwards the request to an external program based on the file type without prompting the user. This allows an attacker to trigger execution of arbitrary code or to circumvent restrictions imposed by the network namespace. The vulnerability is a manifestation of CWE‑913, where privileged functionality is delegated indirectly.

Affected Systems

The affected product is LXQt's PCManFM‑Qt, versions starting at 1.1.0, present on all distributions that ship the component. No narrower version range is specified, so every build after this baseline is vulnerable.

Risk and Exploitability

With a CVSS score of 9.3 the flaw is considered critical. No EPSS data is available, so the precise exploitation likelihood is unknown, but the nature of the flaw suggests that local attackers who can invoke D‑Bus calls could abuse it. The flaw is not listed in CISA's KEV table. The attack vector is local and requires the ability to send a D‑Bus message to the file manager; an attacker could also deliver a malicious file through the file manager interface to trigger the delegation.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

LXQt

PCManFM-Qt

unknown

Version	Status	Constraints
`1.1.0`	affected	≤ 2.4.0

No data.

No data available yet.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Update PCManFM‑Qt to the latest released version that removes the unsafe delegation.
Limit the org.freedesktop.FileManager1.ShowFolders D‑Bus method to trusted users or add a confirmation step by editing the D‑Bus policy configuration.
Enforce an SELinux or AppArmor confinement profile that blocks execution of arbitrary handlers for regular file URIs, ensuring that only whitelisted applications can be launched.

Generated by OpenCVE AI on May 22, 2026 at 20:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact High

Vulnerable System Integrity Impact High

Vulnerable System Availability Impact High

Subsequent System Confidentiality Impact High

Subsequent System Integrity Impact High

Subsequent System Availability Impact High

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Exploitation none

Automatable no

Technical Impact total

References

Link	Providers
https://github.com/lxqt/pcmanfm-qt/releases
https://www.openwall.com/lists/oss-security/2026/05/19/1
https://www.openwall.com/lists/oss-security/2026/05/20/2

History

Fri, 22 May 2026 20:45:00 +0000

Type	Values Removed	Values Added
Title		Privilege Escalation via D‑Bus ShowFolders Call in PCManFM-Qt

Fri, 22 May 2026 20:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

Fri, 22 May 2026 19:15:00 +0000

Type	Values Removed	Values Added
Description		An issue was discovered in all versions of PCManFM-Qt starting from 1.1.0. When a regular file's path is passed as a URI in an org.freedesktop.FileManager1.ShowFolders D-Bus method call, PCManFM-Qt delegates to a different program (based on the file type) without user confirmation. This could be used to achieve code execution or circumvent network namespace restrictions. NOTE: those outcomes are potentially unwanted by most users; however, the behavior of the product does comply with the applicable specification, and a simplistic solution (ensuring that the URI does not name a regular file) may have adverse consequences for I/O.
Weaknesses		CWE-913
References		https://github.com/lxqt/pcmanfm-qt/releases https://www.openwall.com/lists/oss-security/2026/05/19/1 https://www.openwall.com/lists/oss-security/2026/05/20/2
Metrics		cvssV4_0 `{'score': 9.3, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/AU:N/R:I/V:D/RE:M/U:Clear'}`

Subscriptions

No data.

MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2026-05-22T18:43:05.549Z

Updated: 2026-05-22T19:20:33.074Z

Reserved: 2026-05-22T18:43:05.097Z

Link: CVE-2026-48700

Vulnrichment

Updated: 2026-05-22T19:20:28.343Z

NVD

No data.

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-05-22T20:30:06Z

Weaknesses

CWE-913

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact High

Vulnerable System Integrity Impact High

Vulnerable System Availability Impact High

Subsequent System Confidentiality Impact High

Subsequent System Integrity Impact High

Subsequent System Availability Impact High

Exploitation none

Automatable no

Technical Impact total

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object