USN-8287-1

Source
https://ubuntu.com/security/notices/USN-8287-1
Import Source
https://github.com/canonical/ubuntu-security-notices/blob/main/osv/usn/USN-8287-1.json
JSON Data
https://api.osv.dev/v1/vulns/USN-8287-1
Upstream
Related
Published
2026-05-20T18:02:35Z
Modified
2026-05-27T16:59:13.644075376Z
Summary
xdg-desktop-portal vulnerability
Details

It was discovered that XDG Desktop Portal incorrectly handled trashing files. A local attacker could possibly use this issue to delete arbitrary files on the host file system via a symlink attack.

References

Affected packages

Ubuntu:24.04:LTS / xdg-desktop-portal

Package

Name
xdg-desktop-portal
Purl
pkg:deb/ubuntu/xdg-desktop-portal?arch=source&distro=noble

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.18.4-1ubuntu2.24.04.2

Affected versions

1.*
1.18.0-1ubuntu1
1.18.2-1ubuntu1
1.18.2-1ubuntu3
1.18.2-1ubuntu4
1.18.3-1ubuntu1
1.18.4-1ubuntu2
1.18.4-1ubuntu2.24.04.1

Ecosystem specific

{
    "binaries": [
        {
            "binary_name": "xdg-desktop-portal",
            "binary_version": "1.18.4-1ubuntu2.24.04.2"
        },
        {
            "binary_name": "xdg-desktop-portal-tests",
            "binary_version": "1.18.4-1ubuntu2.24.04.2"
        }
    ],
    "availability": "No subscription required"
}

Database specific

source
"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/usn/USN-8287-1.json"
cves_map
{
    "ecosystem": "Ubuntu:24.04:LTS",
    "cves": [
        {
            "id": "CVE-2026-40354",
            "severity": [
                {
                    "type": "CVSS_V3",
                    "score": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L"
                },
                {
                    "type": "CVSS_V3",
                    "score": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:H"
                },
                {
                    "type": "Ubuntu",
                    "score": "medium"
                }
            ]
        }
    ]
}

Ubuntu:25.10 / xdg-desktop-portal

Package

Name
xdg-desktop-portal
Purl
pkg:deb/ubuntu/xdg-desktop-portal?arch=source&distro=questing

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.20.3+ds-1ubuntu1.1

Affected versions

1.*
1.20.0+ds-2ubuntu1
1.20.0+ds-2ubuntu2
1.20.0+ds-2ubuntu3
1.20.3+ds-1ubuntu1

Ecosystem specific

{
    "binaries": [
        {
            "binary_name": "xdg-desktop-portal",
            "binary_version": "1.20.3+ds-1ubuntu1.1"
        },
        {
            "binary_name": "xdg-desktop-portal-tests",
            "binary_version": "1.20.3+ds-1ubuntu1.1"
        }
    ],
    "availability": "No subscription required"
}

Database specific

source
"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/usn/USN-8287-1.json"
cves_map
{
    "ecosystem": "Ubuntu:25.10",
    "cves": [
        {
            "id": "CVE-2026-40354",
            "severity": [
                {
                    "type": "CVSS_V3",
                    "score": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L"
                },
                {
                    "type": "CVSS_V3",
                    "score": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:H"
                },
                {
                    "type": "Ubuntu",
                    "score": "medium"
                }
            ]
        }
    ]
}