An unpatched zero-day vulnerability exists in KDE 4 & 5 that could allow attackers to execute code simply by tricking a user into downloading an archive, extracting it, and then opening the folder. In each of these files are various fields that tell the desktop environment how a directory or application should appear. The vulnerability is based on the KDesktopFile class in the KConfigPrivate::expandString() function. The researcher originally didn’t report it as he “wanted to drop a 0day for Defcon that people could experiment with”””
Source: https://www.bleepingcomputer.com/news/security/zero-day-bug-in-kde-4-5-executes-commands-by-opening-a-folder/