CVE-2026-48700: CWE-913 Improper Control of Dynamically-Managed Code Resources in LXQt PCManFM-Qt
An issue was discovered in all versions of PCManFM-Qt starting from 1.1.0. When a regular file's path is passed as a URI in an org.freedesktop.FileManager1.ShowFolders D-Bus method call, PCManFM-Qt delegates to a different program (based on the file type) without user confirmation. This could be used to achieve code execution or circumvent network namespace restrictions. NOTE: those outcomes are potentially unwanted by most users; however, the behavior of the product does comply with the applicable specification, and a simplistic solution (ensuring that the URI does not name a regular file) may have adverse consequences for I/O.
AI Analysis
Technical Summary
The vulnerability arises from PCManFM-Qt's handling of URIs representing regular files in the org.freedesktop.FileManager1.ShowFolders D-Bus method. When such a URI is received, PCManFM-Qt automatically delegates handling to an external program associated with the file type without requiring user confirmation. This can be exploited to execute arbitrary code or circumvent network namespace restrictions. The issue affects all versions starting from 1.1.0. The product's behavior complies with the relevant specification, and straightforward mitigation by disallowing regular file URIs may cause adverse effects on input/output operations. No patch or official remediation level has been provided as of the publication date.
Potential Impact
Successful exploitation can lead to arbitrary code execution or bypassing network namespace restrictions on affected systems. This could allow an attacker with local privileges to escalate their capabilities or interfere with network isolation mechanisms. The vulnerability is rated critical with a CVSS 4.0 score of 9.3, indicating high impact on confidentiality, integrity, and availability.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Since no official fix or remediation level is provided, users should exercise caution when handling URIs passed to the org.freedesktop.FileManager1.ShowFolders D-Bus method, especially those referencing regular files. Consider restricting access to this D-Bus method or monitoring its usage in sensitive environments until an official fix is available.
CVE-2026-48700: CWE-913 Improper Control of Dynamically-Managed Code Resources in LXQt PCManFM-Qt
Description
An issue was discovered in all versions of PCManFM-Qt starting from 1.1.0. When a regular file's path is passed as a URI in an org.freedesktop.FileManager1.ShowFolders D-Bus method call, PCManFM-Qt delegates to a different program (based on the file type) without user confirmation. This could be used to achieve code execution or circumvent network namespace restrictions. NOTE: those outcomes are potentially unwanted by most users; however, the behavior of the product does comply with the applicable specification, and a simplistic solution (ensuring that the URI does not name a regular file) may have adverse consequences for I/O.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The vulnerability arises from PCManFM-Qt's handling of URIs representing regular files in the org.freedesktop.FileManager1.ShowFolders D-Bus method. When such a URI is received, PCManFM-Qt automatically delegates handling to an external program associated with the file type without requiring user confirmation. This can be exploited to execute arbitrary code or circumvent network namespace restrictions. The issue affects all versions starting from 1.1.0. The product's behavior complies with the relevant specification, and straightforward mitigation by disallowing regular file URIs may cause adverse effects on input/output operations. No patch or official remediation level has been provided as of the publication date.
Potential Impact
Successful exploitation can lead to arbitrary code execution or bypassing network namespace restrictions on affected systems. This could allow an attacker with local privileges to escalate their capabilities or interfere with network isolation mechanisms. The vulnerability is rated critical with a CVSS 4.0 score of 9.3, indicating high impact on confidentiality, integrity, and availability.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Since no official fix or remediation level is provided, users should exercise caution when handling URIs passed to the org.freedesktop.FileManager1.ShowFolders D-Bus method, especially those referencing regular files. Consider restricting access to this D-Bus method or monitoring its usage in sensitive environments until an official fix is available.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- mitre
- Date Reserved
- 2026-05-22T18:43:05.097Z
- Cvss Version
- 4.0
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a10ab43e1370fbb483c5924
Added to database: 5/22/2026, 7:15:15 PM
Last enriched: 5/22/2026, 7:29:47 PM
Last updated: 5/23/2026, 6:20:09 PM
Views: 12
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.