qutebrowser 0.9.0 vulnerabilities

Direct Vulnerabilities

Known vulnerabilities in the qutebrowser package. This does not include vulnerabilities belonging to this package’s dependencies.

Fix vulnerabilities automatically

Snyk's AI Trust Platform automatically finds the best upgrade path and integrates with your development workflows. Secure your code at zero cost.

Fix for free

Vulnerability	Vulnerable Version
H Cross-site Request Forgery (CSRF) qutebrowser is a keyboard-driven, vim-like browser based on PyQt5. Affected versions of this package are vulnerable to Cross-site Request Forgery (CSRF). This may be exploited to cause websites to access `qute://*` URLS. Furthermore, a malicious actor could exploit this to load a `qute://settings/set` URL, which sets `editor.command` to a bash script, resulting in arbitrary code execution. How to fix Cross-site Request Forgery (CSRF)? Upgrade `qutebrowser` to version 1.4.1 or higher.	[,1.4.1)
L Detection of Error Condition Without Action qutebrowser is a keyboard-driven, vim-like browser based on PyQt5. Affected versions of this package are vulnerable to Detection of Error Condition Without Action. Eeloading a page with certificate errors shows a green URL. After a certificate error was overridden by the user, qutebrowser displays the URL as yellow (`colors.statusbar.url.warn.fg`). However, when the affected website is subsequently loaded again, the URL is mistakenly displayed as green (`colors.statusbar.url.success_https`). How to fix Detection of Error Condition Without Action? Upgrade `qutebrowser` to version 1.11.1 or higher.	[,1.11.1)
M Cross-site Scripting (XSS) qutebrowser is a keyboard-driven, vim-like browser based on PyQt5. Affected versions of this package are vulnerable to Cross-site Scripting (XSS) via the history command. A malicious user could inject a javascript code and might steal a user's browsing history when the user visits a page with an html input element as it's title. How to fix Cross-site Scripting (XSS)? Upgrade `qutebrowser` to version 1.3.3 or higher.	[0.1.1,1.3.3)

Vulnerability

Vulnerable Version

Cross-site Request Forgery (CSRF)

qutebrowser is a keyboard-driven, vim-like browser based on PyQt5.

Affected versions of this package are vulnerable to Cross-site Request Forgery (CSRF). This may be exploited to cause websites to access qute://* URLS. Furthermore, a malicious actor could exploit this to load a qute://settings/set URL, which sets editor.command to a bash script, resulting in arbitrary code execution.

How to fix Cross-site Request Forgery (CSRF)?

Upgrade qutebrowser to version 1.4.1 or higher.

[,1.4.1)

Detection of Error Condition Without Action

qutebrowser is a keyboard-driven, vim-like browser based on PyQt5.

Affected versions of this package are vulnerable to Detection of Error Condition Without Action. Eeloading a page with certificate errors shows a green URL. After a certificate error was overridden by the user, qutebrowser displays the URL as yellow (colors.statusbar.url.warn.fg). However, when the affected website is subsequently loaded again, the URL is mistakenly displayed as green (colors.statusbar.url.success_https).

How to fix Detection of Error Condition Without Action?

Upgrade qutebrowser to version 1.11.1 or higher.

[,1.11.1)

Cross-site Scripting (XSS)

qutebrowser is a keyboard-driven, vim-like browser based on PyQt5.

Affected versions of this package are vulnerable to Cross-site Scripting (XSS) via the history command. A malicious user could inject a javascript code and might steal a user's browsing history when the user visits a page with an html input element as it's title.

How to fix Cross-site Scripting (XSS)?

Upgrade qutebrowser to version 1.3.3 or higher.

[0.1.1,1.3.3)

qutebrowser@0.9.0 vulnerabilities

A keyboard-driven, vim-like browser based on Python and Qt.

latest version

latest non vulnerable version

first published

latest version published

licenses detected

Direct Vulnerabilities

Fix vulnerabilities automatically