PatchSiren cyber security CVE debrief
CVE-2026-13601 Red Hat CVE debrief
CVE-2026-13601 is a HIGH-severity vulnerability with a CVSS score of 7.1. The flaw exists in Yelp's Content Security Policy (CSP) implementation provided by yelp-xsl. A malicious Flatpak application can exploit this vulnerability by opening crafted help content through the OpenURI portal, embedding an untrusted CSS stylesheet within a structured SVG document. This allows attacker-controlled content to bypass Flatpak's intended sandbox isolation, enabling Yelp to evaluate local XML inclusions and disclose arbitrary user-readable host files through remote CSS resource requests. This may result in the unauthorized disclosure of sensitive information. Users should be cautious when using Flatpak applications and ensure they are updated to the latest versions.
- Vendor
- Red Hat
- Product
- Red Hat Enterprise Linux 10
- CVSS
- HIGH 7.1
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-29
- Original CVE updated
- 2026-06-29
- Advisory published
- 2026-06-29
- Advisory updated
- 2026-06-29
Who should care
Users of Flatpak applications, particularly those utilizing Yelp for help content, should be aware of this vulnerability. System administrators and security teams responsible for managing Flatpak deployments and ensuring the security of user systems should prioritize patching and mitigation efforts. Developers of Flatpak applications and Yelp extensions should also review their code for potential vulnerabilities and ensure secure practices.
Technical summary
The vulnerability arises from an overly permissive Content Security Policy (CSP) implementation in yelp-xsl. A malicious Flatpak application can exploit this by opening crafted help content, embedding untrusted CSS stylesheets within SVG documents. This allows bypassing of Flatpak's sandbox isolation, enabling disclosure of arbitrary user-readable host files through remote CSS requests. The vulnerability has a CVSS score of 7.1 and is classified as HIGH severity.
Defensive priority
High priority should be given to patching and mitigating this vulnerability. System administrators should ensure all Flatpak applications and Yelp instances are updated with the latest security patches. Users should exercise caution when using Flatpak applications and report any suspicious activity.
Recommended defensive actions
- Apply patches and updates for Flatpak and Yelp to ensure the latest security fixes are in place.
- Restrict the use of untrusted Flatpak applications and ensure only trusted sources are used.
- Monitor system logs for suspicious activity related to Flatpak and Yelp.
- Implement additional security measures, such as network monitoring, to detect potential exploitation attempts.
- Review and update security policies to address CSP implementation and sandbox isolation.
Evidence notes
The CVE-2026-13601 vulnerability was publicly disclosed on June 29, 2026. The vulnerability affects Yelp due to an overly permissive CSP implementation by yelp-xsl. A malicious Flatpak application can exploit this vulnerability to bypass sandbox isolation and disclose sensitive information. The CVSS score is 7.1, indicating HIGH severity. Multiple sources, including Red Hat and GNOME, have provided information and patches related to this vulnerability.
Official resources
This article is AI-assisted and based on the supplied source corpus.