Path Traversal in Flatpak Flatpak-builder

CVE-2026-39977

flatpak-builder is a tool to build flatpaks from source. From 1.4.5 to before 1.4.8, the license-files manifest key takes an array of paths to user defined licence files relative to the source directory of the module. The paths from that a…

Vulnerability class: Path Traversal (Directory Traversal)

EPSS: 0.000 (10.8th percentile) — read the EPSS interpretation.

Affected products

Flatpak Flatpak-builder — versions >= 1.4.5, < 1.4.8

Weakness classification (CWE)

CWE-22 — Path Traversal

References

https://github.com/flatpak/flatpak-builder/security/advisories/GHSA-6gm9-3g7m-3965 (x_refsource_CONFIRM)