CVE-2026-40354

EUVD-2026-21625
Flatpak xdg-desktop-portal before 1.20.4 and 1.21.x before 1.21.1 allows any Flatpak app to trash any file in the host context via a symlink attack on g_file_trash.
Symlink
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
2.9 LOW
LOCAL
HIGH
NONE
CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L
Base Score
CVSS 3.x
EPSS Score
Percentile: 2%
Affected Products (NVD)
VendorProductVersion
flatpakxdg-desktop-portal
𝑥
< 1.20.4
flatpakxdg-desktop-portal
1.21.0
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
xdg-desktop-portal
bookworm
no-dsa
bullseye
postponed
forky
1.22.1+ds-1
fixed
sid
1.22.1+ds-1
fixed
trixie
no-dsa
openSUSE logo
openSUSE / SLES Releases
openSUSE Product
Release
xdg-desktop-portal
suse enterprise desktop 15 SP7
1.18.2-150600.4.6.1
fixed
suse enterprise sap 15 SP7
1.18.2-150600.4.6.1
fixed
suse enterprise server 15 SP4
1.10.1-150400.3.11.1
fixed
suse enterprise server 15 SP7
1.18.2-150600.4.6.1
fixed
xdg-desktop-portal-devel
suse enterprise desktop 15 SP7
1.18.2-150600.4.6.1
fixed
suse enterprise sap 15 SP7
1.18.2-150600.4.6.1
fixed
suse enterprise server 15 SP4
1.10.1-150400.3.11.1
fixed
suse enterprise server 15 SP7
1.18.2-150600.4.6.1
fixed
xdg-desktop-portal-lang
suse enterprise desktop 15 SP7
1.18.2-150600.4.6.1
fixed
suse enterprise sap 15 SP7
1.18.2-150600.4.6.1
fixed
suse enterprise server 15 SP4
1.10.1-150400.3.11.1
fixed
suse enterprise server 15 SP7
1.18.2-150600.4.6.1
fixed
Amazon Linux logo
Amazon Linux Releases
Amazon Package
Release
xdg-desktop-portal
Amazon Linux 2
0:1.0.2-1.amzn2.0.3
fixed
Amazon Linux 2023
0:1.18.4-107.amzn2023
fixed
xdg-desktop-portal-debuginfo
Amazon Linux 2
0:1.0.2-1.amzn2.0.3
fixed
Amazon Linux 2023
0:1.18.4-107.amzn2023
fixed
xdg-desktop-portal-debugsource
Amazon Linux 2023
0:1.18.4-107.amzn2023
fixed
xdg-desktop-portal-devel
Amazon Linux 2
0:1.0.2-1.amzn2.0.3
fixed
Amazon Linux 2023
0:1.18.4-107.amzn2023
fixed