A vulnerability was discovered in qBittorrent before 4.1.7, the function Application::runExternalProgram() located in app/application.cpp allows command injection via shell metacharacters in the torrent name parameter or current tracker parameter, as demonstrated by remote command execution via a crafted name within an RSS feed. Reference: https://github.com/qbittorrent/qBittorrent/issues/10925
Created qbittorrent tracking bugs for this issue: Affects: epel-7 [bug 1731076] Affects: fedora-all [bug 1731075]
This CVE Bugzilla entry is for community support informational purposes only as it does not affect a package in a commercially supported Red Hat product. Refer to the dependent bugs for status of those individual community products.