diff --git a/library/desktop/src/clients/menu.rb b/library/desktop/src/clients/menu.rb
index 268ff8c1e..f356fa67b 100644
--- a/library/desktop/src/clients/menu.rb
+++ b/library/desktop/src/clients/menu.rb
@@ -295,12 +295,16 @@ def Launch(modul)
         cmd = ""
         ret = nil
 
+        # prevent shell injection when passing argument. But on other hand do
+        # not pass empty argument which makes module think it is CLI (bsc#1121425)
+        argument = argument.empty? ? "" : argument.shellescape
+
         # Use UI::RunInTerminal in text-mode only (#237332)
         if textmode
-          cmd = Builtins.sformat("/sbin/yast %1 %2 >&2", function.shellescape, argument.shellescape)
+          cmd = Builtins.sformat("/sbin/yast %1 %2 >&2", function.shellescape, argument)
           ret = UI.RunInTerminal(cmd)
         else
-          cmd = Builtins.sformat("/sbin/yast2 %1 %2 >&2", function.shellescape, argument.shellescape)
+          cmd = Builtins.sformat("/sbin/yast2 %1 %2 >&2", function.shellescape, argument)
           ret = SCR.Execute(path(".target.bash"), cmd)
         end
         Builtins.y2milestone("Got %1 from %2", ret, cmd)
diff --git a/package/yast2.changes b/package/yast2.changes
index d4bc85367..b26ba6cff 100644
--- a/package/yast2.changes
+++ b/package/yast2.changes
@@ -1,3 +1,10 @@
+-------------------------------------------------------------------
+Thu Jan 10 14:45:03 UTC 2019 - Josef Reidinger <jreidinger@suse.com>
+
+- Fix crashes of many modules when invoking from ncurses control
+  center (bsc#1121425)
+- 4.1.49
+
 -------------------------------------------------------------------
 Mon Jan  7 08:40:21 UTC 2019 - lslezak@suse.cz
 
diff --git a/package/yast2.spec b/package/yast2.spec
index 5998b5429..5b502e08c 100644
--- a/package/yast2.spec
+++ b/package/yast2.spec
@@ -17,7 +17,7 @@
 
 
 Name:           yast2
-Version:        4.1.48
+Version:        4.1.49
 Release:        0
 Summary:        YaST2 - Main Package
 License:        GPL-2.0-only