CVE-2026-40354: Flatpak xdg-desktop-portal before 1.20.4 and 1.21.x before 1.21.1 allows any Flatpak app to trash any file in the host c

Description

Flatpak xdg-desktop-portal before 1.20.4 and 1.21.x before 1.21.1 allows any Flatpak app to trash any file in the host context via a symlink attack on g_file_trash.

Affected Products

Vendor	Product	Versions
flatpak	xdg-desktop-portal	0, 1.21.0

References

Related News (1 articles)

Tier C

VulDB5h ago

CVE-2026-40354 | Flatpak xdg-desktop-portal up to 1.20.3/1.21.0 g_file_trash symlink (GHSA-rqr9-jwwf-wxgj)

→ No new info (linked only)

CVSS 3.12.9 CRITICAL

VectorCVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L

CISA KEV❌ No

Actively exploited❌ No

Patch available

1.20.41.21.1

CWECWE-61

PublishedApr 11, 2026

Last enriched4h agov2

Trending Score31

Source articles2

Independent1

Info Completeness9/14

Missing: epss, kev, exploit, iocs, mitre_attack

Community Vote

Version History

Last enriched 4h ago

v2Tier C4h ago

Updated severity to CRITICAL and noted that no exploit is available.

severity

via VulDB

v15h ago

Initial creation

CVE-2026-40354: Flatpak xdg-desktop-portal before 1.20.4 and 1.21.x before 1.21.1 allows any Flatpak app to trash any file in the host c

Description

Affected Products

References

Related News (1 articles)

Community Vote

Related CVEs (3)

Pin to Dashboard

Verification

Vulnerability Timeline

Version History