CVE-2026-40354

Published: Apr 11, 2026 Last Modified: Apr 13, 2026
ExploitDB:
Other exploit source:
Google Dorks:
LOW 2,9
Source: [email protected]
Attack Vector: local
Attack Complexity: high
Privileges Required: none
User Interaction: none
Scope: unchanged
Confidentiality: none
Integrity: none
Availability: low

Description

AI Translation Available

Flatpak xdg-desktop-portal before 1.20.4 and 1.21.x before 1.21.1 allows any Flatpak app to trash any file in the host context via a symlink attack on g_file_trash.

EPSS (Exploit Prediction Scoring System)

Trend Analysis

EPSS (Exploit Prediction Scoring System)

Prevede la probabilità di sfruttamento basata su intelligence sulle minacce e sulle caratteristiche della vulnerabilità.

EPSS Score
0,0001
Percentile
0,0th
Updated

EPSS Score Trend (Last 6 Days)

61

UNIX Symbolic Link (Symlink) Following

Incomplete
Abstraction: Compound Structure: Composite
Common Consequences
Security Scopes Affected:
Confidentiality Integrity
Potential Impacts:
Read Files Or Directories Modify Files Or Directories
Applicable Platforms
All platforms may be affected
Likelihood of Exploit: High
View CWE Details
https://github.com/flatpak/xdg-desktop-portal/releases/tag/…
https://github.com/flatpak/xdg-desktop-portal/releases/tag/1.20.4
https://github.com/flatpak/xdg-desktop-portal/releases/tag/…
https://github.com/flatpak/xdg-desktop-portal/releases/tag/1.21.1
https://github.com/flatpak/xdg-desktop-portal/security/advi…
https://github.com/flatpak/xdg-desktop-portal/security/advisories/GHSA-rqr9-jww…
https://www.openwall.com/lists/oss-security/2026/04/10/14
https://www.openwall.com/lists/oss-security/2026/04/10/14