anonhaven
Ad

CVE-2026-35207

MEDIUM CVSS 3.1: 5.4 EPSS 0.02%
Updated Apr 09, 2026
dde-control-center
Parameter Value
CVSS 5.4 (MEDIUM)
Type CWE-295 (Improper Certificate Validation)
Vendor dde-control-center
Public PoC No

dde-control-center is the control panel of DDE, the Deepin Desktop Environment. plugin-deepinid is a plugin in dde-control-center, which provides the deepinid cloud service. Prior to 6.1.80, plugin-deepinid is configured to skip TLS certificate verification when fetching the user's avatar from openapi.deepin.com or other providers. An MITM attacker could intercept the traffic, replace the avatar with a malicious or misleading image, and potentially identify the user by the avatar.

This vulnerability is fixed in dde-control-center 6.1.80 and 5.9.9.

Attack Parameters

Attack Vector
Network
Can be exploited remotely
Attack Complexity
Low
Easy to exploit
Privileges Required
None
No privileges needed
User Interaction
Required
User action required

Impact Assessment

Confidentiality
Low
Partial data leak
Integrity
Low
Partial data modification
Availability
None
No disruption

CVSS Vector v3.1

Weakness Type (CWE)

CWE-295 Improper Certificate Validation

References 4

https://github.com/linuxdeepin/dde-control-center/commit/6fc206120be28d9eef7d72…
security-advisories@github.com
https://github.com/linuxdeepin/dde-control-center/commit/cd95b054ff10a35bc92844…
security-advisories@github.com
https://github.com/linuxdeepin/dde-control-center/pull/3146
security-advisories@github.com
https://github.com/linuxdeepin/developer-center/security/advisories/GHSA-jf2h-4…
security-advisories@github.com
Share Post Share Share Share