CRITICAL
flatpak
CVE published 2026-04-07
CVE-2026-34078
CVE-2026-34078 is a critical vulnerability in the Flatpak Linux application sandboxing and distribution framework. Prior to version 1.16.4, the Flatpak portal accepts paths in the sandbox-expose options which can be app-controlled symlinks pointing at arbitrary paths. This gives apps access to all host files and can be used as a primitive to gain code execution in the host context. The vulnerability is fi [truncated]