Ghostwire

CVE-2026-40354: Flatpak xdg-desktop-portal before 1.20.4 and 1.21.x before 1.21.1 allows any Flatpak app to trash any file in the host...

LOW CVSS 2.5 EPSS 0.01% Exploit Available 1 PoC

Published: April 11, 2026 | Last Modified: April 11, 2026

Description

Flatpak xdg-desktop-portal before 1.20.4 and 1.21.x before 1.21.1 allows any Flatpak app to trash any file in the host context via a symlink attack on g_file_trash.

Ghostwire Analysis — What This Means Practically

Exploitation Probability (EPSS): Low — 0.01% (3th percentile)

Low exploitation probability based on current threat landscape data. Standard patching timeline is appropriate.

1 proof-of-concept exploit available on GitHub. Public exploit code lowers the barrier for both researchers and attackers.

This analysis is generated by Ghostwire from NVD, CISA KEV, EPSS, and open-source intelligence data. Verify findings through primary sources before acting.

Proof-of-Concept Exploits (1)

flatpak/xdg-desktop-portal

CVE-2026-40354: Flatpak xdg-desktop-portal before 1.20.4 and 1.21.x before 1.21.1 allows any Flatpak app to trash any file in the host...

Description

Ghostwire Analysis — What This Means Practically

Proof-of-Concept Exploits (1)

Security Coverage (1 articles)

References