CVE-2025-66270

CVSS 4.7 MEDIUMEPSS 0.2%CWE-290

Vexday Risk Score

13Low

SSVC decision (CISA)

Track

No exploitation signal → monitor

CVSS 4.7EPSS 0.2%KEV nãoPoC —Patch —

Lifecycle

Dec 05, 2025Published on NVD

Recommendation: Monitor — no exploitation signal at the moment.

The KDE Connect protocol 8 before 2025-11-28 does not correlate device IDs across two packets. This affects KDE Connect before 25.12 on desktop, KDE Connect before 0.5.4 on iOS, KDE Connect before 1.34.4 on Android, GSConnect before 68, and Valent before 1.0.0.alpha.49.

CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N

Affected products

KDE · KDE Connect protocol

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://github.com/andyholmes/valent/commit/85f773124a67ed1add79e7465bb088ec667cccce https://github.com/GSConnect/gnome-shell-extension-gsconnect/commit/a38246deec0af50ae218cdc51db32cdd7eb145e3 https://invent.kde.org/network/kdeconnect-android/-/commit/675d2d24a1eb95d15d9e5bde2b7e2271d5ada6a9 https://invent.kde.org/network/kdeconnect-ios/-/commit/6c003c22d04270cabc4b262d399c753d55cf9080 https://invent.kde.org/network/kdeconnect-kde/-/commit/4e53bcdd5d4c28bd9fefd114b807ce35d7b3373e https://kde.org/info/security/advisory-20251128-1.txt