CVE-2026-46529 is an argument injection vulnerability in Evince, Atril, and Xreader caused by missing shell quoting when composing a command line. The reporter, João Medeiros, has published a GitHub repo for the CVE and a blog post with the story of how he discovered the flaw and developed the exploit. He also created an Atril...
Glad it was reported properly. Imo this is just as bad as copy fail, as it affects mostly regular desktop users.
I have helped plenty of not-very-technical people switch to Linux and these kinds of vulnerabilities scare me the most when it comes to them.