What is CVE-2026-40354?

CVE-2026-40354 is a low-severity vulnerability in Flatpak Xdg-desktop-portal, classified under UNIX Symbolic Link (Symlink) Following. CVSS score: 2.9/10. Published 2026-04-11.

How severe is CVE-2026-40354?

Low severity. CVSS v3 base score is 2.9 out of 10.

Vulnerability in Flatpak Xdg-desktop-portal

CVE-2026-40354

Flatpak xdg-desktop-portal before 1.20.4 and 1.21.x before 1.21.1 allows any Flatpak app to trash any file in the host context via a symlink attack on g_file_trash.

EPSS: 0.000 (5.3th percentile) — read the EPSS interpretation.

CVSS v3 metric

CVSS v3 base score 2.9 (Low). Vector: CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L.

Affected products

Flatpak Xdg-desktop-portal — versions 0, 1.21.0

Weakness classification (CWE)

CWE-61 — UNIX Symbolic Link (Symlink) Following

References

cve@mitre.org (Product)
cve@mitre.org (Product)
cve@mitre.org (Mailing List)
cve@mitre.org (Vendor Advisory)

Frequently asked questions

What is CVE-2026-40354?: CVE-2026-40354 is a low-severity vulnerability in Flatpak Xdg-desktop-portal, classified under UNIX Symbolic Link (Symlink) Following. CVSS score: 2.9/10. Published 2026-04-11.
How severe is CVE-2026-40354?: Low severity. CVSS v3 base score is 2.9 out of 10.