CVE-2026-40354

Summary

Flatpak xdg-desktop-portal before 1.20.4 and 1.21.x before 1.21.1 allows any Flatpak app to trash any file in the host context via a symlink attack on g_file_trash.

Affected Software

VendorProductVersion RangeStatus
Flatpakxdg-desktop-portal0 < 1.20.4affected
Flatpakxdg-desktop-portal1.21.0 < 1.21.1affected

Weaknesses

  • CWE-61: CWE-61 UNIX Symbolic Link (Symlink) Following

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

References