CVE-2026-35207
Published: Apr 9, 2026
Modified: Apr 13, 2026
CVSS v3.1
5.4
Description
dde-control-center is the control panel of DDE, the Deepin Desktop Environment. plugin-deepinid is a plugin in dde-control-center, which provides the deepinid cloud service. Prior to 6.1.80, plugin-deepinid is configured to skip TLS certificate verification when fetching the user's avatar from openapi.deepin.com or other providers. An MITM attacker could intercept the traffic, replace the avatar with a malicious or misleading image, and potentially identify the user by the avatar. This vulnerability is fixed in dde-control-center 6.1.80 and 5.9.9.
| Vendor | Product | Versions |
|---|---|---|
linuxdeepin | dde-control-center | affected >= 6.1.35, < 6.1.80affected >= 5.5.3, < 5.9.9 |
linuxdeepin | deepin-deepinid-plugin | affected >= 2.0.1, <= 2.0.9 |
Weaknesses (CWE)
CVSS v3.1 Details
CVSS v3.1 Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability
References
Security Training
Train your team to recognize and prevent security threats with our comprehensive security awareness program.
Start TrainingVulnerability Scanning
Discover vulnerabilities in your applications and infrastructure before attackers do.
Scan Now