Skip to content

"run external program" should not be settable via the WebUI/API #22902

New issue
New issue
Open
Open
"run external program" should not be settable via the WebUI/API#22902
Labels
SecurityRelated to software vulnerability in qbt (don't overuse this)WebAPIWebAPI-related issues/changes
@majora2007

Description

@majora2007
majora2007
opened on Jun 22, 2025

qBittorrent & operating system versions

qBittorrent: 5.0.3 x64
Operating system: Windows 10
Qt: 6.7.3

What is the problem?

When qbittorrent webui/api are enabled, setting "run external program" is allowed to be set. If your password is broken, a hijacker can quickly install a script on your machine.

I believe this setting should be modifiable only via the app and not via the webui.

Steps to reproduce

No response

Additional context

Image

Log(s) & preferences file(s)

N/A

Metadata

Metadata

Assignees

No one assigned

    Labels

    SecurityRelated to software vulnerability in qbt (don't overuse this)WebAPIWebAPI-related issues/changes

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions