How to fix CVE-2026-27704?

Within 24 hours: Inventory all applications and services built with Dart/Flutter SDKs and assess their exposure level (internet-facing vs. internal). Within 7 days: Implement compensating controls such as enhanced input validation, Web Application Firewall (WAF) rules targeting known attack vectors, and network segmentation to limit blast radius. Within 30 days: Monitor vendor security advisories for patch availability and establish a plan for rapid deployment once released; consider engaging Dart/Flutter security channels for technical guidance.

Is Flutter affected by CVE-2026-27704?

A HIGH severity vulnerability (CVE-2026-27704, CVSS 7.5) affects Dart and Flutter SDKs with no patch currently available. Organizations using these frameworks for application development face potential exploitation risks, particularly if applications are deployed in production or exposed to…

CVE-2026-27704

HIGH

2026-02-25 [email protected]

7.5

CVSS 3.1

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

None

Availability

None

Lifecycle Timeline

Analysis Generated

Mar 12, 2026 - 21:55 vuln.today

CVE Published

Feb 25, 2026 - 16:23 nvd

HIGH 7.5

Description

The Dart and Flutter SDKs provide software development kits for the Dart programming language. In versions of the Dart SDK prior to 3.11.0 and the Flutter SDK prior to version 3.41.0, when the pub client (`dart pub` and `flutter pub`) extracts a package in the pub cache, a malicious package archive can have files extracted outside the destination directory in the `PUB_CACHE`. A fix has been landed in commit 26c6985c742593d081f8b58450f463a584a4203a. By normalizing the file path before writing file, the attacker can no longer traverse up via a symlink. This patch is released in Dart 3.11.0 and Flutter 3.41.0.vAll packages on pub.dev have been vetted for this vulnerability. New packages are no longer allowed to contain symlinks. The pub client itself doesn't upload symlinks, but duplicates the linked entry, and has been doing this for years. Those whose dependencies are all from pub.dev, third-party repositories trusted to not contain malicious code, or git dependencies are not affected by this vulnerability.

Analysis

The Dart and Flutter SDKs provide software development kits for the Dart programming language. [CVSS 7.5 HIGH]

Remediation

Within 24 hours: Inventory all applications and services built with Dart/Flutter SDKs and assess their exposure level (internet-facing vs. internal). …

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

Priority Score

Low Medium High Critical

KEV: 0

EPSS: +0.1

CVSS: +38

POC: 0

CVE-2026-27704 vulnerability details – vuln.today

Back

CVE-2026-27704

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Remediation

Analysis

Full analysis requires sign-in

Priority Score

Share

CVE-2026-27704

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Remediation

Full analysis requires sign-in

Priority Score

Share

External POC / Exploit Code