A flaw was found in the KDE notification UI. HTML IMG tags are not properly sanitized, allowing to use a remote URL in an image tag. Remote attackers could exploit this for arbitrary code execution. References: https://phabricator.kde.org/D10188
Created plasma-workspace tracking bugs for this issue: Affects: fedora-all [bug 1542678]
I dispute "Remote attackers could exploit this...", remote attackers do not have the ability to send notifications in general
*** This bug has been marked as a duplicate of bug 1543454 ***