qutebrowser is vulnerable to arbitrary command execution. An attacker is able to execute commands such as :spawn
or :debug-pyeval
on the host OS via a specially crafted URL leading to argument injection. The vulnerability exists on windows installations where qutebrowser is registered as a URL handler.
CPE | Name | Operator | Version |
---|---|---|---|
qutebrowser | le | 2.3.1 | |
qutebrowser | le | 2.3.1 |