Skip to main content

Securedrop Client

1 CVEs product

Monthly

CVE-2026-35465 HIGH PATCH This Week

Path traversal in SecureDrop Client 0.17.4 and below allows a compromised SecureDrop Server to execute arbitrary code on journalist workstations by injecting malicious filenames during gzip archive extraction. The vulnerability enables overwriting the SQLite database and other critical files in the sd-app VM, potentially exposing decrypted source submissions. Fixed in version 0.17.5. No active exploitation confirmed (not in CISA KEV). CVSS 7.5 reflects high impact but complex attack chain requiring prior server compromise and user interaction. EPSS data not available, but real-world risk is constrained by the requirement to first breach a Tor-hidden, hardened server infrastructure.

RCE Securedrop Client
NVD GitHub VulDB
CVSS 3.1
7.5
EPSS
0.1%
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Path traversal in SecureDrop Client 0.17.4 and below allows a compromised SecureDrop Server to execute arbitrary code on journalist workstations by injecting malicious filenames during gzip archive extraction. The vulnerability enables overwriting the SQLite database and other critical files in the sd-app VM, potentially exposing decrypted source submissions. Fixed in version 0.17.5. No active exploitation confirmed (not in CISA KEV). CVSS 7.5 reflects high impact but complex attack chain requiring prior server compromise and user interaction. EPSS data not available, but real-world risk is constrained by the requirement to first breach a Tor-hidden, hardened server infrastructure.

RCE Securedrop Client
NVD GitHub VulDB

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy