{"id":"CVE-2026-13601","summary":"Yelp: yelp-xsl: overly permissive content security policy in yelp allows host file disclosure from flatpak applications","details":"A flaw was found in Yelp due to an overly permissive Content Security Policy (CSP) implementation provided by yelp-xsl. A malicious Flatpak application can open crafted help content through the OpenURI portal. By embedding an untrusted CSS stylesheet within a structured SVG document, attacker-controlled content can bypass Flatpak's intended sandbox isolation, allowing Yelp to evaluate local XML inclusions and disclose arbitrary user-readable host files through remote CSS resource requests. This may result in the unauthorized disclosure of sensitive information.","modified":"2026-07-13T18:29:40.414860563Z","published":"2026-06-29T09:20:40.865Z","related":["openSUSE-SU-2026:21295-1"],"database_specific":{"cwe_ids":["CWE-693"],"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/13xxx/CVE-2026-13601.json","cna_assigner":"redhat"},"references":[{"type":"WEB","url":"https://access.redhat.com/downloads/content/package-browser/"},{"type":"WEB","url":"https://gitlab.gnome.org/GNOME/yelp/-/work_items/238"},{"type":"WEB","url":"https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-13601.json"},{"type":"ADVISORY","url":"https://access.redhat.com/security/cve/CVE-2026-13601"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/13xxx/CVE-2026-13601.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-13601"},{"type":"REPORT","url":"https://bugzilla.redhat.com/show_bug.cgi?id=2494110"},{"type":"FIX","url":"https://gitlab.gnome.org/GNOME/yelp/-/commit/c8c8244c8a812860782d635890c9b6c43ecc2639"},{"type":"ARTICLE","url":"https://blogs.gnome.org/mcatanzaro/2026/05/11/flatpak-sandbox-escape-via-yelp/"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/gnome/yelp","events":[{"introduced":"0"},{"fixed":"7856e7f79070f515282875212e1a90f09cfa5538"}],"database_specific":{"source":"CPE_RANGE","cpe":"cpe:2.3:a:gnome:yelp:*:*:*:*:*:*:*:*","extracted_events":[{"introduced":"0"},{"fixed":"49.1"}]}}],"versions":["49.0","49.rc","42.3","49.beta","42.2","42.1","42.0","42.beta","41.1","41.0","41.beta2","41.beta","40.2","40.0","40.rc","40.beta","3.38.1","3.38.0","3.37.90","3.36.0","3.34.0","3.33.92","3.32.2","3.32.1","3.32.0","3.31.90","3.30.0","3.28.1","3.28.0","3.27.1","3.26.0","3.22.0","3.25.3","3.20.1","3.21.3","3.20.0","3.19.91","3.19.90","3.19.1","3.18.1","3.18.0","3.17.91","3.17.90","3.17.4","3.17.3","3.17.2","3.4.2","3.16.0","3.15.91","3.15.90","3.14.1","3.14.0","3.13.92","3.13.90","3.13.3","3.10.1","3.8.1","3.11.1","3.10.0","3.9.91","3.9.90","3.8.0","3.7.90","3.7.4","3.7.3","3.6.1","3.6.0","3.5.92","3.5.91","3.5.90","3.4.1","3.4.0","3.3.92","3.3.4","3.3.3","3.3.2","3.3.1","3.2.0","3.1.4","3.1.3","3.1.2","3.1.1","3.0.2","3.0.1","3.0.0","2.91.92","2.91.91","2.91.90","2.91.10","2.91.9","2.91.8","2.31.7","2.31.6","2.31.2","2.31.1","2.27.3","2.27.2","2.27.1","YELP_2_26_0","YELP_2_25_1","YELP_2_24_0","YELP_2_23_91","YELP_2_23_2","YELP_2_23_1","YELP_2_22_1","YELP_2_22_0","YELP_2_21_90","YELP_2_21_2","YELP_2_21_1","YELP_2_20_0","YELP_2_19_90","YELP_2_19_1","YELP_2_18_1","YELP_2_18_0","YELP_2_16_2","YELP_2_16_1","YELP_2_16_0","YELP_2_15_91","YELP_2_15_5","YELP_2_15_4","YELP_DOCUMENT_BRANCHPOINT","YELP_2_15_3","BEFORE_DROPPING_GECKO_1_7","YELP_2_15_2","YELP_2_15_1","YELP_2_14_0","GNOME_2_14_BRANCH","YELP_2_13_6","YELP_2_13_5","YELP_2_13_4","YELP_2_13_3","YELP_2_13_2","YELP_2_13_1","YELP_2_12_1","YELP_2_12_0","YELP_2_11_92","YELP_2_11_1","YELP_2_10_0","YELP_2_9_3","YELP_2_9_2","YELP_2_9_1","YELP_2_6_0","YELP_2_5_91","YELP_2_5_90","YELP_2_5_6","YELP_2_5_5","YELP_2_5_4","YELP_2_5_3","YELP_2_5_2_1","YELP_2_5_2","YELP_2_5_1","YELP_2_5_0","YELP_2_3_6","YELP_2_3_4","LIBGNOME_2_3_3_1","YELP_2_3_3","LIBGNOME_2_3_3","YELP_2_3_0","YELP_2_1_5","YELP_2_1_4","LIBGNOME_2_3_0","LIBGNOME_2_2_0_1","LIBGNOME_2_2_0","LIBGNOME_2_1_90","GNOME_2_2_BRANCHPOINT","YELP_2_1_3","YELP_2_1_2","YELP_2_1_0","YELP_1_0_6","YELP_1_0_5","YELP_1_0_4","LIBGNOME_2_1_5","LIBGNOME_2_1_4","LIBGNOME_2_1_2","LIBGNOME_2_1_1","LIBGNOME_2_1_0","LIBGNOME_2_0_6","LIBGNOME_2_0_5","LIBGNOME_2_0_4","LIBGNOME_2_0_3","YELP_1_0_3","YELP_1_0_2","LIBGNOME_2_0_2","before_GNOME_2_0","YELP_1_0_1","YELP_1_0","YELP_0_10","YELP_0_9_1","YELP_0_9","LIBGNOME_2_0_1","LIBGNOME_2_0_0","LIBGNOME_1_117_2","YELP_0_8","LIBGNOME_1_117_1","LIBGNOME_1_117_0","YELP_0_7","YELP_0_6_1","YELP_0_6","LIBGNOME_1_116_0","LIBGNOME_1_115_0","YELP_0_5","YELP_0_4","YELP_0_3","LIBGNOME_1_114_0","LIBGNOME_1_113_0","LIBGNOME_1_112_1","YELP_0_2_1","YELP_0_2","LIBGNOME_1_112_0","LIBGNOME_1_111_0","LIBGNOME_1_110_0","LIBGNOME_1_109_1","LIBGNOME_1_109_0","LIBGNOME_1_108_0","LIBGNOME_1_107_0","LIBGNOME_1_105_0","V0_1","NAUTILUS_1_0_5","REDHAT_MERGE_BRANCHPOINT","REDHAT_OUTSTANDING_PATCHES_BRANCHPOINT","MJS_PATCHES_TO_REDHAT_PATCHES_ANCHOR","NAUTILUS_1_0_4","NAUTILUS_1_0_3","before-trilobite-move","NAUTILUS_1_ANCHOR","NAUTILUS_0_8_2","NAUTILUS_PR3_ANCHOR","NAUTILUS_0_8","INSTALLER_PR3_ANCHOR","RAK_SOUNDVIEW_ANCHOR","NAUTILUS_UIH_MERGE_BASE","NAUTILUS_PR2_ANCHOR","NAUTILUS_0_5","NAUTILUS_0_1_0","NAUTILUS-NEW-UIH-BRANCH_ANCHOR","EAZEL_NAUTILUS_DEMO_2_ANCHOR","EAZEL_DEMO_1_ANCHOR","EAZEL-NAUTILUS-MS-JULY_5","EAZEL-NAUTILUS-MS-JUL12","EAZEL-NAUTILUS-MS-AUG07","EAZEL-NAUTILUS-DEMO-BLESSED","nautilus_ms_may_31","mjs_pre_great_renaming","POST_1_0_MERGE","GNOME_CORE_1_1_0","PRE_1_0_MERGE","GNOME_CORE_1_0_ANCHOR","GNOME_CORE_1_0_9","GNOME_CORE_1_0_8","GNOME_CORE_1_0_7","GNOME_CORE_1_0_6","GNOME_CORE_1_0_5","GNOME_CORE_1_0_4","GGV_0_61","GNOME_CORE_1_0_3","GNOME_CORE_1_0_1","GNOME_CORE_1_0_0_1","GNOME_0_99_8_1","GNOME_0_99_8","GNOME_0_99_7","GNOME_0_99_3","GNOME_0_99_2","PRE_PANEL2","GNOME_STABLE_ANCHOR","FOR_GNOME_0_99_1","PANTING_CHIMPANZEE","GNOME_0_30","GNOME_0_28_MARTIN","GNOME_0_27","GNOME_0_25","GNOME_0_20a","GNOME_0_20","DROOLING_MACAQUE"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-13601.json"}},{"ranges":[{"type":"GIT","repo":"https://gitlab.gnome.org/gnome/yelp","events":[{"introduced":"0"},{"fixed":"7856e7f79070f515282875212e1a90f09cfa5538"},{"fixed":"c8c8244c8a812860782d635890c9b6c43ecc2639"}],"database_specific":{"cpe":"cpe:2.3:a:gnome:yelp:*:*:*:*:*:*:*:*","extracted_events":[{"introduced":"0"},{"fixed":"49.1"}],"source":["CPE_RANGE","REFERENCES"]}}],"versions":["49.0","49.rc","42.3","49.beta","42.2","42.1","42.0","42.beta","41.1","41.0","41.beta2","41.beta","40.2","40.0","40.rc","40.beta","3.38.1","3.38.0","3.37.90","3.36.0","3.34.0","3.33.92","3.32.2","3.32.1","3.32.0","3.31.90","3.30.0","3.28.1","3.28.0","3.27.1","3.26.0","3.22.0","3.25.3","3.20.1","3.21.3","3.20.0","3.19.91","3.19.90","3.19.1","3.18.1","3.18.0","3.17.91","3.17.90","3.17.4","3.17.3","3.17.2","3.4.2","3.16.0","3.15.91","3.15.90","3.14.1","3.14.0","3.13.92","3.13.90","3.13.3","3.10.1","3.8.1","3.11.1","3.10.0","3.9.91","3.9.90","3.8.0","3.7.90","3.7.4","3.7.3","3.6.1","3.6.0","3.5.92","3.5.91","3.5.90","3.4.1","3.4.0","3.3.92","3.3.4","3.3.3","3.3.2","3.3.1","3.2.0","3.1.4","3.1.3","3.1.2","3.1.1","3.0.2","3.0.1","3.0.0","2.91.92","2.91.91","2.91.90","2.91.10","2.91.9","2.91.8","2.31.7","2.31.6","2.31.2","2.31.1","2.27.3","2.27.2","2.27.1","YELP_2_26_0","YELP_2_25_1","YELP_2_24_0","YELP_2_23_91","YELP_2_23_2","YELP_2_23_1","YELP_2_22_1","YELP_2_22_0","YELP_2_21_90","YELP_2_21_2","YELP_2_21_1","YELP_2_20_0","YELP_2_19_90","YELP_2_19_1","YELP_2_18_1","YELP_2_18_0","YELP_2_16_2","YELP_2_16_1","YELP_2_16_0","YELP_2_15_91","YELP_2_15_5","YELP_2_15_4","YELP_DOCUMENT_BRANCHPOINT","YELP_2_15_3","BEFORE_DROPPING_GECKO_1_7","YELP_2_15_2","YELP_2_15_1","YELP_2_14_0","GNOME_2_14_BRANCH","YELP_2_13_6","YELP_2_13_5","YELP_2_13_4","YELP_2_13_3","YELP_2_13_2","YELP_2_13_1","YELP_2_12_1","YELP_2_12_0","YELP_2_11_92","YELP_2_11_1","YELP_2_10_0","YELP_2_9_3","YELP_2_9_2","YELP_2_9_1","YELP_2_6_0","YELP_2_5_91","YELP_2_5_90","YELP_2_5_6","YELP_2_5_5","YELP_2_5_4","YELP_2_5_3","YELP_2_5_2_1","YELP_2_5_2","YELP_2_5_1","YELP_2_5_0","YELP_2_3_6","YELP_2_3_4","LIBGNOME_2_3_3_1","YELP_2_3_3","LIBGNOME_2_3_3","YELP_2_3_0","YELP_2_1_5","YELP_2_1_4","LIBGNOME_2_3_0","LIBGNOME_2_2_0_1","LIBGNOME_2_2_0","LIBGNOME_2_1_90","GNOME_2_2_BRANCHPOINT","YELP_2_1_3","YELP_2_1_2","YELP_2_1_0","YELP_1_0_6","YELP_1_0_5","YELP_1_0_4","LIBGNOME_2_1_5","LIBGNOME_2_1_4","LIBGNOME_2_1_2","LIBGNOME_2_1_1","LIBGNOME_2_1_0","LIBGNOME_2_0_6","LIBGNOME_2_0_5","LIBGNOME_2_0_4","LIBGNOME_2_0_3","YELP_1_0_3","YELP_1_0_2","LIBGNOME_2_0_2","before_GNOME_2_0","YELP_1_0_1","YELP_1_0","YELP_0_10","YELP_0_9_1","YELP_0_9","LIBGNOME_2_0_1","LIBGNOME_2_0_0","LIBGNOME_1_117_2","YELP_0_8","LIBGNOME_1_117_1","LIBGNOME_1_117_0","YELP_0_7","YELP_0_6_1","YELP_0_6","LIBGNOME_1_116_0","LIBGNOME_1_115_0","YELP_0_5","YELP_0_4","YELP_0_3","LIBGNOME_1_114_0","LIBGNOME_1_113_0","LIBGNOME_1_112_1","YELP_0_2_1","YELP_0_2","LIBGNOME_1_112_0","LIBGNOME_1_111_0","LIBGNOME_1_110_0","LIBGNOME_1_109_1","LIBGNOME_1_109_0","LIBGNOME_1_108_0","LIBGNOME_1_107_0","LIBGNOME_1_105_0","V0_1","NAUTILUS_1_0_5","REDHAT_MERGE_BRANCHPOINT","REDHAT_OUTSTANDING_PATCHES_BRANCHPOINT","MJS_PATCHES_TO_REDHAT_PATCHES_ANCHOR","NAUTILUS_1_0_4","NAUTILUS_1_0_3","before-trilobite-move","NAUTILUS_1_ANCHOR","NAUTILUS_0_8_2","NAUTILUS_PR3_ANCHOR","NAUTILUS_0_8","INSTALLER_PR3_ANCHOR","RAK_SOUNDVIEW_ANCHOR","NAUTILUS_UIH_MERGE_BASE","NAUTILUS_PR2_ANCHOR","NAUTILUS_0_5","NAUTILUS_0_1_0","NAUTILUS-NEW-UIH-BRANCH_ANCHOR","EAZEL_NAUTILUS_DEMO_2_ANCHOR","EAZEL_DEMO_1_ANCHOR","EAZEL-NAUTILUS-MS-JULY_5","EAZEL-NAUTILUS-MS-JUL12","EAZEL-NAUTILUS-MS-AUG07","EAZEL-NAUTILUS-DEMO-BLESSED","nautilus_ms_may_31","mjs_pre_great_renaming","POST_1_0_MERGE","GNOME_CORE_1_1_0","PRE_1_0_MERGE","GNOME_CORE_1_0_ANCHOR","GNOME_CORE_1_0_9","GNOME_CORE_1_0_8","GNOME_CORE_1_0_7","GNOME_CORE_1_0_6","GNOME_CORE_1_0_5","GNOME_CORE_1_0_4","GGV_0_61","GNOME_CORE_1_0_3","GNOME_CORE_1_0_1","GNOME_CORE_1_0_0_1","GNOME_0_99_8_1","GNOME_0_99_8","GNOME_0_99_7","GNOME_0_99_3","GNOME_0_99_2","PRE_PANEL2","GNOME_STABLE_ANCHOR","FOR_GNOME_0_99_1","PANTING_CHIMPANZEE","GNOME_0_30","GNOME_0_28_MARTIN","GNOME_0_27","GNOME_0_25","GNOME_0_20a","GNOME_0_20","DROOLING_MACAQUE"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-13601.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N"}]}