Yelp: yelp-xsl: overly permissive content security policy in yelp allows host file disclosure from flatpak applications
Summary
| CVE | CVE-2026-13601 |
|---|---|
| State | PUBLISHED |
| Assigner | redhat |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2026-06-29 10:16:30 UTC |
| Updated | 2026-06-30 03:17:14 UTC |
| Description | A flaw was found in Yelp due to an overly permissive Content Security Policy (CSP) implementation provided by yelp-xsl. A malicious Flatpak application can open crafted help content through the OpenURI portal. By embedding an untrusted CSS stylesheet within a structured SVG document, attacker-controlled content can bypass Flatpak's intended sandbox isolation, allowing Yelp to evaluate local XML inclusions and disclose arbitrary user-readable host files through remote CSS resource requests. This may result in the unauthorized disclosure of sensitive information. |
Risk And Classification
Primary CVSS: v3.1 7.1 HIGH from ADP
CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
EPSS: 0.001370000 probability, percentile 0.034980000 (date 2026-07-02)
Problem Types: CWE-693 | CWE-693 Protection Mechanism Failure
| Version | Source | Type | Score | Severity | Vector |
|---|---|---|---|---|---|
| 3.1 | ADP | CVSS | 7.1 | HIGH | CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N |
| 3.1 | [email protected] | Secondary | 7.1 | HIGH | CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N |
| 3.1 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | Secondary | 7.1 | HIGH | CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N |
| 3.1 | CNA | CVSS | 7.1 | HIGH | CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N |
CVSS v3.1 Breakdown
CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
Vendor Declared Affected Products
| Source | Vendor | Product | Version | Platforms |
|---|---|---|---|---|
| CNA | Red Hat | Red Hat Enterprise Linux 6 | Not specified | Not specified |
| CNA | Red Hat | Red Hat Enterprise Linux 7 | Not specified | Not specified |
| CNA | Red Hat | Red Hat Enterprise Linux 8 | Not specified | Not specified |
| CNA | Red Hat | Red Hat Enterprise Linux 9 | Not specified | Not specified |
| ADP | Red Hat | Red Hat Enterprise Linux 6 | Not specified | Not specified |
| ADP | Red Hat | Red Hat Enterprise Linux 7 | Not specified | Not specified |
| ADP | Red Hat | Red Hat Enterprise Linux 8 | Not specified | Not specified |
| ADP | Red Hat | Red Hat Enterprise Linux 9 | Not specified | Not specified |
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| blogs.gnome.org/mcatanzaro/2026/05/11/flatpak-sandbox-escape-via-yelp | [email protected] | blogs.gnome.org | |
| bugzilla.redhat.com/show_bug.cgi | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | bugzilla.redhat.com | |
| gitlab.gnome.org/GNOME/yelp/-/work_items/238 | [email protected] | gitlab.gnome.org | |
| gitlab.gnome.org/GNOME/yelp/-/commit/c8c8244c8a812860782d635890c9b6c43ecc2639 | [email protected] | gitlab.gnome.org | |
| access.redhat.com/security/cve/CVE-2026-13601 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-13601.json | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | security.access.redhat.com | |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
Vendor Comments And Credit
Discovery Credit
CNA: Red Hat would like to thank Codean Labs for reporting this issue. (en)
Additional Advisory Data
| Source | Time | Event |
|---|---|---|
| CNA | 2026-06-29T07:46:00.021Z | Reported to Red Hat. |
| CNA | 2026-05-07T00:00:00.000Z | Made public. |
| ADP | 2026-06-29T07:46:00.021Z | Reported to Red Hat. |
| ADP | 2026-05-07T00:00:00.000Z | Made public. |
Workarounds
CNA: No mitigation is currently available that meets Red Hat Product Security's standards for usability, deployment, applicability, or stability. Customers are advised to apply the appropriate security update when they becomes available.
ADP: No mitigation is currently available that meets Red Hat Product Security's standards for usability, deployment, applicability, or stability. Customers are advised to apply the appropriate security update when they becomes available.