CVE-2026-40354
LOWFlatpak xdg-desktop-portal <1.20.4 - Privilege Escalation
Title source: llmDescription
Flatpak xdg-desktop-portal before 1.20.4 and 1.21.x before 1.21.1 allows any Flatpak app to trash any file in the host context via a symlink attack on g_file_trash.
Scores
CVSS v3
2.9
EPSS
0.0002
EPSS Percentile
4.8%
Attack Vector
LOCAL
CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L
Details
CWE
CWE-61
Status
published
Products (2)
Flatpak/xdg-desktop-portal
< 1.20.4
Flatpak/xdg-desktop-portal
1.21.0 - 1.21.1
Published
Apr 11, 2026
Tracked Since
Apr 11, 2026