Kde Kdeconnect vulnerabilities

6 known vulnerabilities affecting kde/kdeconnect.

Total CVEs
6
CISA KEV
0
Public exploits
0
Exploited in wild
0
Severity breakdown
MEDIUM6

Vulnerabilities

Page 1 of 1
CVE-2025-66270MEDIUMCVSS 4.7≥ 0, < 25.04.2-1+deb13u1≥ 0, < 25.11.80+git20251121.7090b106-12025-12-05
CVE-2025-66270 [MEDIUM] CVE-2025-66270: The KDE Connect protocol 8 before 2025-11-28 does not correlate device IDs across two packets The KDE Connect protocol 8 before 2025-11-28 does not correlate device IDs across two packets. This affects KDE Connect before 25.12 on desktop, KDE Connect before 0.5.4 on iOS, KDE Connect before 1.34.4 on Android, GSConnect before 68, and Valent before 1.0.0.alpha.49.
osv
CVE-2025-32901MEDIUMCVSS 4.3fixed in 1.33.02025-12-05
CVE-2025-32901 [MEDIUM] CWE-1287 CVE-2025-32901: In KDE Connect before 1.33.0 on Android, malicious device IDs (sent via broadcast UDP) could cause a In KDE Connect before 1.33.0 on Android, malicious device IDs (sent via broadcast UDP) could cause an application crash.
cvelistv5nvd
CVE-2025-32900MEDIUMCVSS 4.3≥ 0, < 25.04.0-12025-12-05
CVE-2025-32900 [MEDIUM] CVE-2025-32900: In the KDE Connect information-exchange protocol before 2025-04-18, a packet can be crafted to temporarily change the displayed information about a de In the KDE Connect information-exchange protocol before 2025-04-18, a packet can be crafted to temporarily change the displayed information about a device, because broadcast UDP is used. This affects KDE Connect before 1.33.0 on Android, KDE Connect before 25.04 on desktop, KDE Connect before 0.5 on iOS, Val
osv
CVE-2025-32899MEDIUMCVSS 4.3fixed in 1.33.02025-12-05
CVE-2025-32899 [MEDIUM] CWE-1250 CVE-2025-32899: In KDE Connect before 1.33.0 on Android, a packet can be crafted that causes two paired devices to u In KDE Connect before 1.33.0 on Android, a packet can be crafted that causes two paired devices to unpair. Specifically, it is an invalid discovery packet sent over broadcast UDP.
cvelistv5nvd
CVE-2025-32898MEDIUMCVSS 4.7≥ 0, < 25.04.0-12025-12-05
CVE-2025-32898 [MEDIUM] CVE-2025-32898: The KDE Connect verification-code protocol before 2025-04-18 uses only 8 characters and therefore allows brute-force attacks The KDE Connect verification-code protocol before 2025-04-18 uses only 8 characters and therefore allows brute-force attacks. This affects KDE Connect before 1.33.0 on Android, KDE Connect before 25.04 on desktop, KDE Connect before 0.5 on iOS, Valent before 1.0.0.alpha.47, and GSConnect before 59.
osv
CVE-2020-26164MEDIUMCVSS 5.5fixed in 20.08.22020-10-07
CVE-2020-26164 [MEDIUM] CWE-400 CVE-2020-26164: In kdeconnect-kde (aka KDE Connect) before 20.08.2, an attacker on the local network could send craf In kdeconnect-kde (aka KDE Connect) before 20.08.2, an attacker on the local network could send crafted packets that trigger use of large amounts of CPU, memory, or network connection slots, aka a Denial of Service attack.
nvdosv