In Flatpak before 0.8.7, a third-party app repository could include malicious apps that contain files with inappropriate permissions, for example setuid or world-writable. The files are deployed with those permissions, which would let a local attacker run the setuid executable or write to the world-writable location. In the case of the "system helper" component, files deployed as part of the app are owned by root, so in the worst case they could be setuid root.
Conclusion & alert: CVE-2017-9780 is rated Moderate Risk (41/100): CVSS High severity, with low exploitation likelihood (EPSS 0.36%). Mandatory action: Review affected assets and schedule remediation.
Risk is dynamic; we continuously reassess and refresh what is shown on this page as upstream context changes.
EPSS lead: Daily EPSS estimates relative likelihood of exploitation; percentile ranks this CVE among scored vulnerabilities (higher = more severe relative rank).
| # | Date | Old EPSS score | New EPSS score | Delta (New - Old) |
|---|---|---|---|---|
| 1 | 2026-06-15 | 0.04% | 0.36% | +0.31% |
| 2 | 2026-03-17 | 0.10% | 0.04% | -0.06% |
| 3 | 2025-11-21 | — | 0.10% | — |
Full EPSS history (10 records total)
CVSS metrics for this CVE.
| Base score | Version | Severity | Vector | Exploitability | Impact | Score source |
|---|---|---|---|---|---|---|
| 7.8 | 3.0 | HIGH |
|
1.8 | 5.9 | [email protected] |
| 7.2 | 2.0 | HIGH |
|
3.9 | 10.0 | [email protected] |
| vendor | priority | summary | link |
|---|---|---|---|
debian
|
not yet assigned | CVE-2017-9780 not yet assigned priority: Debian including 1 source packages (flatpak), 5 status rows across 5 suites (bookworm, bullseye, forky, sid, trixie): resolved 5. | https://security-tracker.debian.org/tracker/CVE-2017-9780 |
redhat
|
medium | — | https://access.redhat.com/security/cve/CVE-2017-9780 |
ubuntu
|
medium | CVE-2017-9780 medium priority: Ubuntu including 1 source packages (flatpak), 8 status rows across 8 suites (artful, bionic, cosmic, trusty, upstream, xenial, yakkety, zesty): ignored 3, DNE 2, not-affected 2, released 1. | https://ubuntu.com/security/CVE-2017-9780 |
| Vendor | Product | Version | Raw CPE |
|---|---|---|---|
| flatpak | flatpak | <= 0.8.6 | cpe:2.3:a:flatpak:flatpak:*:*:*:*:*:*:*:* |
| debian | debian_linux | 9.0 | cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:* |
| URL | Tags |
|---|---|
| http://www.debian.org/security/2017/dsa-3895 | Third Party Advisory |
| http://www.securityfocus.com/bid/99346 | Third Party Advisory VDB Entry |
| https://bugs.debian.org/865413 | Issue Tracking Patch Third Party Advisory |
| https://github.com/flatpak/flatpak/issues/845 | Issue Tracking Patch Third Party Advisory |