Hello, if you haven’t used Kate before, you can stop reading now :>

Kate version 0.23.10 (and earlier) contains a vulnerability that allows a cartridge to escape its sandbox with user cooperation — if a cartridge can trick the user into opening its URL in a new tab or window, that cartridge would then be run without the sandbox, thus having access to all data stored in Kate, such as installed cartridges, save data, and play habits. Data outside of Kate (your documents, personal files, applications, etc) is not affected.

The impact of this vulnerability is low since it requires user cooperation (you have to take manual steps to open the cartridge URL in a new tab/window in your Browser).

The issue is patched in version 0.24.2-a1 (by getting rid of the cartridge URL altogether).

• If you use the native application, you update by downloading v0.24.2-a1 for your platform, unpacking it in a new directory, and using the new version’s executable. No need to keep the old folder around, save data and cartridges are stored in a separate location (e.g.: %AppData%/@qteatime/kate-desktop on Windows);

• If you use the web application, you should get the update automatically after the cached content expires. You can force the update by going to Settings -> Diagnostics & Recovery -> Refresh cache, but you need to make sure your browser is requesting the files from the server rather than serving from the local cache. You can check if you’re running the updated version by opening About Kate in the context menu.

You can read the full technical details in the patch announcement: https://github.com/orgs/qteatime/discussions/1