CVE-2026-13601
CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
Summary
A flaw was found in Yelp due to an overly permissive Content Security Policy (CSP) implementation provided by yelp-xsl. A malicious Flatpak application can open crafted help content through the OpenURI portal. By embedding an untrusted CSS stylesheet within a structured SVG document, attacker-controlled content can bypass Flatpak's intended sandbox isolation, allowing Yelp to evaluate local XML inclusions and disclose arbitrary user-readable host files through remote CSS resource requests. This may result in the unauthorized disclosure of sensitive information.
Affected Software
| Vendor | Product | Version Range | Status |
|---|
Weaknesses
- CWE-693: Protection Mechanism Failure
Workarounds
No mitigation is currently available that meets Red Hat Product Security's standards for usability, deployment, applicability, or stability. Customers are advised to apply the appropriate security update when they becomes available.
ADP Enrichment
CISA ADP Vulnrichment
- SSVC:
- Exploitation: none
- Automatable: no
- Technical Impact: partial
yelp: yelp-xsl: Overly Permissive Content Security Policy in Yelp Allows Host File Disclosure from Flatpak Applications
Additional References
- https://access.redhat.com/security/cve/CVE-2026-13601
- https://bugzilla.redhat.com/show_bug.cgi?id=2494110
- https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-13601.json
References
- https://access.redhat.com/security/cve/CVE-2026-13601
- https://blogs.gnome.org/mcatanzaro/2026/05/11/flatpak-sandbox-escape-via-yelp/
- https://bugzilla.redhat.com/show_bug.cgi?id=2494110
- https://gitlab.gnome.org/GNOME/yelp/-/commit/c8c8244c8a812860782d635890c9b6c43ecc2639
- https://gitlab.gnome.org/GNOME/yelp/-/work_items/238
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.