Skip to main content

Yelp

2 CVEs product

Monthly

CVE-2026-13601 MEDIUM This Month

Sandbox-escaping information disclosure in Yelp (the GNOME help viewer) lets a malicious Flatpak application read arbitrary user-readable files on the host. By using the OpenURI portal to open crafted help content that embeds an untrusted CSS stylesheet inside a structured SVG document, an attacker abuses an overly permissive Content Security Policy supplied by yelp-xsl to force Yelp to evaluate local XML inclusions and exfiltrate file contents via remote CSS resource requests, defeating Flatpak's intended isolation. The flaw was disclosed publicly (GNOME developer blog by Michael Catanzaro, May 2026) and tracked by Red Hat; no public exploit identified at time of analysis and it is not listed in CISA KEV.

Information Disclosure Enterprise Linux Yelp
NVD VulDB
CVSS 3.1
6.5
EPSS
0.1%
CVE-2025-3155 HIGH POC PATCH This Week

A flaw was found in Yelp. Rated high severity (CVSS 7.4), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Open Redirect Yelp Debian Linux Codeready Linux Builder Codeready Linux Builder For Arm64 +17
NVD GitHub
CVSS 3.1
7.4
EPSS
0.7%
EPSS 0% CVSS 6.5
MEDIUM This Month

Sandbox-escaping information disclosure in Yelp (the GNOME help viewer) lets a malicious Flatpak application read arbitrary user-readable files on the host. By using the OpenURI portal to open crafted help content that embeds an untrusted CSS stylesheet inside a structured SVG document, an attacker abuses an overly permissive Content Security Policy supplied by yelp-xsl to force Yelp to evaluate local XML inclusions and exfiltrate file contents via remote CSS resource requests, defeating Flatpak's intended isolation. The flaw was disclosed publicly (GNOME developer blog by Michael Catanzaro, May 2026) and tracked by Red Hat; no public exploit identified at time of analysis and it is not listed in CISA KEV.

Information Disclosure Enterprise Linux Yelp
NVD VulDB
EPSS 1% CVSS 7.4
HIGH POC PATCH This Week

A flaw was found in Yelp. Rated high severity (CVSS 7.4), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Open Redirect Yelp Debian Linux +19
NVD GitHub

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy