PT-2026-33546 · Unknown · Securedrop Client
Published
2026-04-18
·
Updated
2026-04-19
·
CVE-2026-35465
CVSS v3.1
7.5
High
| Vector | AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
SecureDrop Client versions prior to 0.17.5
Description
Improper filename validation during gzip archive extraction allows a compromised SecureDrop Server to achieve code execution on the Client virtual machine (sd-app). This occurs because the system permits absolute paths, enabling the overwriting of critical files such as the SQLite database.
Recommendations
Update to version 0.17.5.
Fix
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Securedrop Client