216.73.217.98

CVE-2026-2604

· Published 17/06/2026 15:20 · Author: The MITRE Corporation

Labels: CVE-2026-2604 2026-06-17CVE-2026-2604CWE-73[email protected]

Essential information

Published
17/06/2026 15:20
Modified
Author
The MITRE Corporation
Creator
The MITRE Corporation
CVSS
5.6 MEDIUM (v3.1)
CISA KEV
No
CWE
CWE-73
EPSS (First)
P21.9% ?EPSS percentile: rank of this vulnerability versus all others. Higher percentile = more likely to be exploited. Learn more (score 0.00304)
CVSS vector
CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:H/A:L

CVSS metrics

Description

A flaw was found in evolution-data-server. Inconsistent comparison logic in the addressbook file backend allows a Flatpak application with D-Bus access to craft a malicious URI containing directory traversal sequences. This URI is stored without proper validation during contact creation or modification. Later, during contact deletion, the URI is processed with a less strict check, leading to the deletion of arbitrary files on the host filesystem. This could potentially include critical Flatpak override files.

NVD status

NVD
View on NVD