Skip to main content

Yelp CVE-2026-13601

| EUVDEUVD-2026-40066 MEDIUM
Protection Mechanism Failure (CWE-693)
2026-06-29 secalert@redhat.com GHSA-f4vh-qr53-q5gv
6.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
6.5 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N
vuln.today AI
7.1 HIGH

Requires a locally-running sandboxed app (AV:L) but no host privileges or interaction (PR:N/UI:N); sandbox-to-host escape changes scope (S:C) and leaks files (C:H) without integrity/availability impact.

3.1 AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
4.0 AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:H/SI:N/SA:N
SUSE
7.1 HIGH
AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
Red Hat
7.1 HIGH
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

3
Severity Changed
Jul 08, 2026 - 03:37 NVD
HIGH MEDIUM
CVSS changed
Jul 08, 2026 - 03:37 NVD
7.1 (HIGH) 6.5 (MEDIUM)
Analysis Generated
Jun 29, 2026 - 10:32 vuln.today

DescriptionNVD

A flaw was found in Yelp due to an overly permissive Content Security Policy (CSP) implementation provided by yelp-xsl. A malicious Flatpak application can open crafted help content through the OpenURI portal. By embedding an untrusted CSS stylesheet within a structured SVG document, attacker-controlled content can bypass Flatpak's intended sandbox isolation, allowing Yelp to evaluate local XML inclusions and disclose arbitrary user-readable host files through remote CSS resource requests. This may result in the unauthorized disclosure of sensitive information.

AnalysisAI

Sandbox-escaping information disclosure in Yelp (the GNOME help viewer) lets a malicious Flatpak application read arbitrary user-readable files on the host. By using the OpenURI portal to open crafted help content that embeds an untrusted CSS stylesheet inside a structured SVG document, an attacker abuses an overly permissive Content Security Policy supplied by yelp-xsl to force Yelp to evaluate local XML inclusions and exfiltrate file contents via remote CSS resource requests, defeating Flatpak's intended isolation. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Install/run malicious Flatpak app
Delivery
Invoke OpenURI portal to Yelp
Exploit
Deliver crafted SVG with untrusted CSS
Execution
Yelp evaluates local XML inclusions outside sandbox
Persist
Read user-readable host files
Impact
Exfiltrate via remote CSS requests

Vulnerability AssessmentAI

Exploitation A malicious or compromised Flatpak application must already be installed and running on the host, and it must be able to invoke the OpenURI portal to hand crafted help content to Yelp. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 base score is 7.1 (AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N): local attack vector, low complexity, no privileges, no user interaction, a changed scope (sandbox-to-host escape), and high confidentiality impact with no integrity or availability impact - consistent with a read-only information-disclosure sandbox escape rather than code execution. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario A user installs a seemingly benign Flatpak application; while running inside its sandbox, the app calls the OpenURI portal to open crafted help content in Yelp containing an SVG that wraps a malicious CSS stylesheet and local XML inclusions. Yelp, running outside the sandbox, evaluates the attacker content under the permissive yelp-xsl CSP, reads user-readable host files, and leaks their contents through remote CSS resource requests to an attacker server. …
Remediation Upstream fix available (PR/commit); released patched version not independently confirmed - apply the distribution package update that incorporates GNOME GitLab commit c8c8244c8a812860782d635890c9b6c43ecc2639 for Yelp (and the corresponding yelp-xsl CSP tightening), tracking your distro's advisory via the Red Hat entry at https://access.redhat.com/security/cve/CVE-2026-13601 and Bugzilla 2494110 (https://bugzilla.redhat.com/show_bug.cgi?id=2494110) for the exact patched build for your OS. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Enumerate GNOME systems with Flatpak support; catalogue all installed Flatpak applications and assess trustworthiness. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2017-5645 CRITICAL POC
9.8 Apr 17

In Apache Log4j 2.x before 2.8.2, when using the TCP socket server or UDP socket server to receive serialized log events

CVE-2015-0240 CRITICAL POC
10.0 Feb 24

The Netlogon server implementation in smbd in Samba 3.5.x and 3.6.x before 3.6.25, 4.0.x before 4.0.25, 4.1.x before 4.1

CVE-2016-6662 CRITICAL POC
9.8 Sep 20

Oracle MySQL through 5.5.52, 5.6.x through 5.6.33, and 5.7.x through 5.7.15; MariaDB before 5.5.51, 10.0.x before 10.0.2

CVE-2025-32463 CRITICAL POC
9.3 Jun 30

Sudo before 1.9.17p1 contains a local root escalation vulnerability (CVE-2025-32463, CVSS 9.3) through the --chroot opti

CVE-2014-0224 HIGH POC
7.4 Jun 05

OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h does not properly restrict processing of ChangeCiph

CVE-2017-3068 HIGH POC
8.8 May 09

Adobe Flash Player versions 25.0.0.148 and earlier have an exploitable memory corruption vulnerability in the Advanced V

CVE-2013-4124 MEDIUM POC
5.0 Aug 06

Integer overflow in the read_nttrans_ea_list function in nttrans.c in smbd in Samba 3.x before 3.5.22, 3.6.x before 3.6.

CVE-2015-4024 MEDIUM POC
5.0 Jun 09

Algorithmic complexity vulnerability in the multipart_buffer_headers function in main/rfc1867.c in PHP before 5.4.41, 5.

CVE-2017-3106 HIGH POC
8.8 Aug 11

Adobe Flash Player versions 26.0.0.137 and earlier have an exploitable type confusion vulnerability when parsing SWF fil

CVE-2014-3470 MEDIUM
4.3 Jun 05

The ssl3_send_client_key_exchange function in s3_clnt.c in OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before

CVE-2014-3560 HIGH
7.9 Aug 06

NetBIOS name services daemon (nmbd) in Samba 4.0.x before 4.0.21 and 4.1.x before 4.1.11 allows remote attackers to exec

CVE-2013-4854 HIGH POC
7.8 Jul 29

The RFC 5011 implementation in rdata.c in ISC BIND 9.7.x and 9.8.x before 9.8.5-P2, 9.8.6b1, 9.9.x before 9.9.3-P2, and

Vendor StatusVendor

SUSE

Severity: Important
Product Status
SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS Affected
SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS Affected
SUSE Linux Enterprise High Performance Computing 15 SP5-ESPOS Affected
SUSE Linux Enterprise High Performance Computing 15 SP5-LTSS Affected
SUSE Linux Enterprise Module for Desktop Applications 15 SP7 Affected

Share

CVE-2026-13601 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy