CVE Catalog

CVE-2026-2604

MediumCVSS 5.6
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.30%

22th percentile — higher than 22% of all known CVEs

Summary

A flaw was found in evolution-data-server that allows for inconsistent comparison in the addressbook file backend. A Flatpak application with D-Bus access can craft a malicious URI containing directory traversal sequences, leading to the deletion of arbitrary files on the host filesystem.

Risk Assessment

This vulnerability could lead to the deletion of critical Flatpak override files, posing a serious threat to the integrity of the system and the organization's data.

Recommendation

It is recommended to implement additional URI validation during contact creation and modification, and to restrict access to Flatpak applications to minimize the risk of exploitation of this vulnerability.

Original NVD description (English source)

A flaw was found in evolution-data-server. Inconsistent comparison logic in the addressbook file backend allows a Flatpak application with D-Bus access to craft a malicious URI containing directory traversal sequences. This URI is stored without proper validation during contact creation or modification. Later, during contact deletion, the URI is processed with a less strict check, leading to the deletion of arbitrary files on the host filesystem. This could potentially include critical Flatpak override files.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS