Flatpak is a system for building, distributing, and running sandboxed desktop applications on Linux. Versions prior to 1.10.8, 1.12.8, 1.14.4, and 1.15.4 contain a vulnerability similar to CVE-2017-5226, but using the `TIOCLINUX` ioctl command instead of `TIOCSTI`. If a Flatpak app is run on a Linux virtual console such as `/dev/tty1`, it can copy text from the virtual console and paste it into the command buffer, from which the command might be run after the Flatpak app has exited. Ordinary graphical terminal emulators like xterm, gnome-terminal and Konsole are unaffected. This vulnerability is specific to the Linux virtual consoles `/dev/tty1`, `/dev/tty2` and so on. A patch is available in versions 1.10.8, 1.12.8, 1.14.4, and 1.15.4. As a workaround, don't run Flatpak on a Linux virtual console. Flatpak is primarily designed to be used in a Wayland or X11 graphical environment.
Conclusion & alert: CVE-2023-28100 is rated Moderate Risk (59.1/100): CVSS Critical severity, with medium exploitation likelihood (EPSS 0.87%). Mandatory action: Review affected assets and schedule remediation.
Risk is dynamic; we continuously reassess and refresh what is shown on this page as upstream context changes.
EPSS lead: Daily EPSS estimates relative likelihood of exploitation; percentile ranks this CVE among scored vulnerabilities (higher = more severe relative rank).
| # | Date | Old EPSS score | New EPSS score | Delta (New - Old) |
|---|---|---|---|---|
| 1 | 2026-06-15 | 0.70% | 0.87% | +0.17% |
| 2 | 2026-04-03 | 0.60% | 0.70% | +0.10% |
| 3 | 2026-03-20 | — | 0.60% | — |
Full EPSS history (24 records total)
CVSS metrics for this CVE.
| Base score | Version | Severity | Vector | Exploitability | Impact | Score source |
|---|---|---|---|---|---|---|
| 10.0 | 3.1 | CRITICAL |
|
3.9 | 6.0 | [email protected] |
| 6.5 | 3.1 | MEDIUM |
|
2.0 | 4.0 | [email protected] |
| vendor | priority | summary | link |
|---|---|---|---|
alpine
|
— | CVE-2023-28100: 1 source package rows (flatpak); 11 state rows across 2 repos (3.22-community, edge-community); fixed 0, open 11. | https://security.alpinelinux.org/vuln/CVE-2023-28100 |
debian
|
not yet assigned | CVE-2023-28100 not yet assigned priority: Debian including 1 source packages (flatpak), 5 status rows across 5 suites (bookworm, bullseye, forky, sid, trixie): resolved 5. | https://security-tracker.debian.org/tracker/CVE-2023-28100 |
gentoo
|
high | CVE-2023-28100: 1 GLSA(s) (202312-12), 1 atom(s) (sys-apps/flatpak); latest impact high. | https://bugs.gentoo.org/buglist.cgi?quicksearch=CVE-2023-28100 |
redhat
|
medium | — | https://access.redhat.com/security/cve/CVE-2023-28100 |
suse
|
high | CVE-2023-28100 severity important: SUSE including 73 source package names (flatpak, flatpak-1.10.8-1.el8, …), 157 product×package rows across 26 product lines (SUSE CaaS Platform 4.0, SUSE Enterprise Storage 7, … (26 product lines)): Fixed 150, Known Not Affected 7. | https://www.suse.com/security/cve/CVE-2023-28100/ |
ubuntu
|
medium | CVE-2023-28100 medium priority: Ubuntu including 1 source packages (flatpak), 13 status rows across 13 suites (bionic, focal, jammy, kinetic, lunar, mantic, noble, oracular, plucky, questing, trusty, upstream, xenial): ignored 7, needs-triage 6. | https://ubuntu.com/security/CVE-2023-28100 |
| Vendor | Product | Version | Raw CPE |
|---|---|---|---|
| flatpak | flatpak | < 1.10.8 | cpe:2.3:a:flatpak:flatpak:*:*:*:*:*:*:*:* |
| flatpak | flatpak | >= 1.12.0, < 1.12.8 | cpe:2.3:a:flatpak:flatpak:*:*:*:*:*:*:*:* |
| flatpak | flatpak | >= 1.14.0, < 1.14.4 | cpe:2.3:a:flatpak:flatpak:*:*:*:*:*:*:*:* |
| flatpak | flatpak | >= 1.15.0, < 1.15.4 | cpe:2.3:a:flatpak:flatpak:*:*:*:*:*:*:*:* |