CVE-2026-40354

low-risk

Published 2026-04-11

Flatpak xdg-desktop-portal before 1.20.4 and 1.21.x before 1.21.1 allows any Flatpak app to trash any file in the host context via a symlink attack on g_file_trash.

Do I need to act?

0.01% chance of exploitation

EPSS score — low exploit probability

Not on CISA KEV list

No confirmed active exploitation reported to CISA

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

CVSS 2.9/10 Low

LOCAL / HIGH complexity

References (4)

https://github.com/flatpak/xdg-desktop-portal/releases/tag/1.20.4

https://github.com/flatpak/xdg-desktop-portal/releases/tag/1.21.1

https://github.com/flatpak/xdg-desktop-portal/security/advisories/GHSA-rqr9-jwwf...

https://www.openwall.com/lists/oss-security/2026/04/10/14

/ 100

low-risk

Severity 8/34 · Low

Exploitability 0/34 · Minimal

Exposure 5/34 · Minimal