CVE-2026-13601

NameCVE-2026-13601
DescriptionA flaw was found in Yelp due to an overly permissive Content Security Policy (CSP) implementation provided by yelp-xsl. A malicious Flatpak application can open crafted help content through the OpenURI portal. By embedding an untrusted CSS stylesheet within a structured SVG document, attacker-controlled content can bypass Flatpak's intended sandbox isolation, allowing Yelp to evaluate local XML inclusions and disclose arbitrary user-readable host files through remote CSS resource requests. This may result in the unauthorized disclosure of sensitive information.
SourceCVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
ReferencesDLA-4647-1, DSA-6319-1
Debian Bugs1136299

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
yelp (PTS)bullseye3.38.3-1vulnerable
bullseye (security)3.38.3-1+deb11u2fixed
bookworm42.2-1+deb12u1vulnerable
bookworm (security)42.2-1+deb12u2fixed
trixie42.2-4vulnerable
trixie (security)42.2-4+deb13u1fixed
forky, sid49.1-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
yelpsourcebullseye3.38.3-1+deb11u2DLA-4647-1
yelpsourcebookworm42.2-1+deb12u2DSA-6319-1
yelpsourcetrixie42.2-4+deb13u1DSA-6319-1
yelpsource(unstable)49.1-11136299

Notes

https://blogs.gnome.org/mcatanzaro/2026/05/11/flatpak-sandbox-escape-via-yelp/
https://gitlab.gnome.org/GNOME/yelp/-/work_items/238
Fixed by: https://gitlab.gnome.org/GNOME/yelp/-/commit/d220aa2f754eed4e6a006a4acaa68b31892dea2b (49.1)
Fixed by: https://gitlab.gnome.org/GNOME/yelp/-/commit/c8c8244c8a812860782d635890c9b6c43ecc2639 (49.1)
Search for package or bug name: Reporting problems