PatchSiren

flatpak CVE debriefs

These pages are published after PatchSiren validates generated defensive summaries against stored public CVE and source evidence.

CRITICAL flatpak CVE published 2026-04-07

CVE-2026-34078

CVE-2026-34078 is a critical vulnerability in the Flatpak Linux application sandboxing and distribution framework. Prior to version 1.16.4, the Flatpak portal accepts paths in the sandbox-expose options which can be app-controlled symlinks pointing at arbitrary paths. This gives apps access to all host files and can be used as a primitive to gain code execution in the host context. The vulnerability is fi [truncated]