CVE-2022-21682

CVE-2022-21682 (Flatpak-builder path traversal) Affects Flatpak and its builder prior to a fix: versions before 1.12.3 and 1.10.6. The vulnerability arises when flatpak-builder applies finish-args at finalization, allowing the build directory to inherit permissions declared in the manifest; with ...

CVE-2026-39977

The CVE concerns flatpak-builder (versions 1.4.5–1.4.7) where the license-files manifest key accepts an array of paths relative to the module source. Paths are validated using two checks, but the final path component and symlink handling can allow path traversal. The copy operation runs on the ho...