Skip to main content

Flatpak

10 CVEs product

Monthly

CVE-2026-34078 CRITICAL PATCH Act Now

Sandbox escape in Flatpak versions prior to 1.16.4 allows applications to access arbitrary host filesystem paths and achieve host-level code execution through symlink manipulation in portal sandbox-expose options. The vulnerability requires no authentication (CVSS:4.0 PR:N) and is exploitable over the network with low complexity. No confirmed active exploitation (CISA KEV) or public exploit code identified at time of analysis, though the attack primitive is clearly documented in the vendor advisory.

RCE Flatpak
NVD GitHub VulDB
CVSS 4.0
9.3
EPSS
0.2%
CVE-2023-28101 MEDIUM PATCH This Month

Flatpak is a system for building, distributing, and running sandboxed desktop applications on Linux. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity.

Information Disclosure Flatpak
NVD GitHub
CVSS 3.1
4.3
EPSS
0.9%
CVE-2023-28100 MEDIUM PATCH This Month

Flatpak is a system for building, distributing, and running sandboxed desktop applications on Linux. Rated medium severity (CVSS 6.5), this vulnerability is low attack complexity.

Information Disclosure Flatpak
NVD GitHub
CVSS 3.1
6.5
EPSS
0.9%
CVE-2021-41133 HIGH PATCH This Week

Flatpak is a system for building, distributing, and running sandboxed desktop applications on Linux. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity.

Privilege Escalation Flatpak Debian Linux Fedora
NVD GitHub
CVSS 3.1
7.8
EPSS
0.4%
CVE-2021-21381 HIGH PATCH This Week

Flatpak is a system for building, distributing, and running sandboxed desktop applications on Linux. Rated high severity (CVSS 8.2), this vulnerability is no authentication required, low attack complexity.

Information Disclosure Flatpak Debian Linux Fedora
NVD GitHub
CVSS 3.1
8.2
EPSS
1.5%
CVE-2021-21261 HIGH PATCH This Week

Flatpak is a system for building, distributing, and running sandboxed desktop applications on Linux. Rated high severity (CVSS 8.8), this vulnerability is low attack complexity.

Google RCE Flatpak Debian Linux
NVD GitHub
CVSS 3.1
8.8
EPSS
0.6%
CVE-2019-10063 CRITICAL PATCH Act Now

Flatpak before 1.0.8, 1.1.x and 1.2.x before 1.2.4, and 1.3.x before 1.3.1 allows a sandbox bypass. Rated critical severity (CVSS 9.0), this vulnerability is remotely exploitable, no authentication required.

Authentication Bypass Linux Flatpak
NVD GitHub
CVSS 3.0
9.0
EPSS
1.9%
CVE-2019-8308 HIGH This Week

Flatpak before 1.0.7, and 1.1.x and 1.2.x before 1.2.3, exposes /proc in the apply_extra script sandbox, which allows attackers to modify a host-side executable file. Rated high severity (CVSS 8.2), this vulnerability is low attack complexity. No vendor patch available.

Information Disclosure Flatpak Debian Linux Enterprise Linux Desktop Enterprise Linux Server +4
NVD GitHub
CVSS 3.0
8.2
EPSS
0.5%
CVE-2018-6560 HIGH PATCH This Week

In dbus-proxy/flatpak-proxy.c in Flatpak before 0.8.9, and 0.9.x and 0.10.x before 0.10.3, crafted D-Bus messages to the host can be used to break out of the sandbox, because whitespace handling in. Rated high severity (CVSS 8.8), this vulnerability is low attack complexity.

Information Disclosure Flatpak Enterprise Linux Desktop Enterprise Linux Server Enterprise Linux Server Aus +3
NVD GitHub
CVSS 3.0
8.8
EPSS
0.4%
CVE-2017-9780 HIGH PATCH This Week

In Flatpak before 0.8.7, a third-party app repository could include malicious apps that contain files with inappropriate permissions, for example setuid or world-writable. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. This Incorrect Permission Assignment vulnerability could allow attackers to access resources due to misconfigured permissions.

Information Disclosure Flatpak Debian Linux
NVD GitHub
CVSS 3.0
7.8
EPSS
0.0%
EPSS 0% CVSS 9.3
CRITICAL PATCH Act Now

Sandbox escape in Flatpak versions prior to 1.16.4 allows applications to access arbitrary host filesystem paths and achieve host-level code execution through symlink manipulation in portal sandbox-expose options. The vulnerability requires no authentication (CVSS:4.0 PR:N) and is exploitable over the network with low complexity. No confirmed active exploitation (CISA KEV) or public exploit code identified at time of analysis, though the attack primitive is clearly documented in the vendor advisory.

RCE Flatpak
NVD GitHub VulDB
EPSS 1% CVSS 4.3
MEDIUM PATCH This Month

Flatpak is a system for building, distributing, and running sandboxed desktop applications on Linux. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity.

Information Disclosure Flatpak
NVD GitHub
EPSS 1% CVSS 6.5
MEDIUM PATCH This Month

Flatpak is a system for building, distributing, and running sandboxed desktop applications on Linux. Rated medium severity (CVSS 6.5), this vulnerability is low attack complexity.

Information Disclosure Flatpak
NVD GitHub
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Flatpak is a system for building, distributing, and running sandboxed desktop applications on Linux. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity.

Privilege Escalation Flatpak Debian Linux +1
NVD GitHub
EPSS 2% CVSS 8.2
HIGH PATCH This Week

Flatpak is a system for building, distributing, and running sandboxed desktop applications on Linux. Rated high severity (CVSS 8.2), this vulnerability is no authentication required, low attack complexity.

Information Disclosure Flatpak Debian Linux +1
NVD GitHub
EPSS 1% CVSS 8.8
HIGH PATCH This Week

Flatpak is a system for building, distributing, and running sandboxed desktop applications on Linux. Rated high severity (CVSS 8.8), this vulnerability is low attack complexity.

Google RCE Flatpak +1
NVD GitHub
EPSS 2% CVSS 9.0
CRITICAL PATCH Act Now

Flatpak before 1.0.8, 1.1.x and 1.2.x before 1.2.4, and 1.3.x before 1.3.1 allows a sandbox bypass. Rated critical severity (CVSS 9.0), this vulnerability is remotely exploitable, no authentication required.

Authentication Bypass Linux Flatpak
NVD GitHub
EPSS 0% CVSS 8.2
HIGH This Week

Flatpak before 1.0.7, and 1.1.x and 1.2.x before 1.2.3, exposes /proc in the apply_extra script sandbox, which allows attackers to modify a host-side executable file. Rated high severity (CVSS 8.2), this vulnerability is low attack complexity. No vendor patch available.

Information Disclosure Flatpak Debian Linux +6
NVD GitHub
EPSS 0% CVSS 8.8
HIGH PATCH This Week

In dbus-proxy/flatpak-proxy.c in Flatpak before 0.8.9, and 0.9.x and 0.10.x before 0.10.3, crafted D-Bus messages to the host can be used to break out of the sandbox, because whitespace handling in. Rated high severity (CVSS 8.8), this vulnerability is low attack complexity.

Information Disclosure Flatpak Enterprise Linux Desktop +5
NVD GitHub
EPSS 0% CVSS 7.8
HIGH PATCH This Week

In Flatpak before 0.8.7, a third-party app repository could include malicious apps that contain files with inappropriate permissions, for example setuid or world-writable. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. This Incorrect Permission Assignment vulnerability could allow attackers to access resources due to misconfigured permissions.

Information Disclosure Flatpak Debian Linux
NVD GitHub

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy