Skip to main content

Xdg Desktop Portal

1 CVEs product

Monthly

CVE-2026-40354 LOW PATCH Monitor

Flatpak xdg-desktop-portal versions before 1.20.4 and 1.21.x before 1.21.1 allow any sandboxed Flatpak application to delete arbitrary files on the host system through a symlink race condition in the g_file_trash function. The vulnerability exploits insufficient validation of file paths during trash operations, enabling local privilege escalation from a confined container context to affect host files. CVSS severity is low (2.9) due to high attack complexity and local-only vector, but the impact affects all Flatpak users whose host system contains a vulnerable xdg-desktop-portal installation.

Information Disclosure Xdg Desktop Portal
NVD GitHub VulDB
CVSS 3.1
2.9
EPSS
0.0%
EPSS 0% CVSS 2.9
LOW PATCH Monitor

Flatpak xdg-desktop-portal versions before 1.20.4 and 1.21.x before 1.21.1 allow any sandboxed Flatpak application to delete arbitrary files on the host system through a symlink race condition in the g_file_trash function. The vulnerability exploits insufficient validation of file paths during trash operations, enabling local privilege escalation from a confined container context to affect host files. CVSS severity is low (2.9) due to high attack complexity and local-only vector, but the impact affects all Flatpak users whose host system contains a vulnerable xdg-desktop-portal installation.

Information Disclosure Xdg Desktop Portal
NVD GitHub VulDB

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy