KDE Project Security Advisory Vulnerability Overview Title: Dolphin: Improper handling of FileManager1.ShowFolders arguments allows sandbox escape Risk Rating: Medium CVE: CVE-2026-41525 Affected Versions: Dolphin < 25.12.3 Release Date: 27 April 2026 Description There is a bug in Dolphin when handling , which allows bypassing Flatpak sandbox and AppArmor restrictions by launching executable files to achieve escape. If the URL in is a file, Dolphin incorrectly assumes that the file should be activated. If the user reconfigures Dolphin to run scripts silently, this may lead to code execution. Impact Scope An attacker can craft special inputs, links, or requests that cause Dolphin to launch executable files outside the current sandbox or restricted environment. This may allow bypassing Flatpak sandbox restrictions or AppArmor policies and executing arbitrary code with the user's privileges. Remediation Temporary Workaround Ensure that the setting “When opening executable files” is set to “Always ask”. Final Solution Update Dolphin to version 25.12.3 or later. Apply the patch https://invent.kde.org/system/dolphin/-/commit/42f6099a0a10e0948cae8f7e364c941291331326c Acknowledgments Thanks to Aaron Rainbolt for reporting this issue and Harald Sitter for providing the fix.