qutebrowser is an open source keyboard-focused browser with a minimal GUI. The fix also adds additional hardening for potential similar issues on Linux (by adding the new –untrusted-args flag to the .desktop file), though no such vulnerabilities are known.
After a certificate error was overridden by the user, qutebrowser displays the URL as yellow (colors. the URL was mistakenly displayed as green (colors.statusbar.url.success_https). While the user already has seen a certificate error prompt at this point (or set content.ssl_stricttofalse`, which is not recommended), this could still provide a false sense of security.
qutebrowser is vulnerable to a cross-site request forgery flaw that allows websites to access qute://* URLs. A malicious website could exploit this to load a qute://settings/set URL, which then sets editor.command to a bash script, resulting in arbitrary code execution.
qutebrowser contains a Cross Site Scripting (XSS) vulnerability in history command page (qute://history) enabling attackers to steal the browsing history