Aggregates CVE and security vulnerability intelligence across all flutter-related products, including CVSS, EPSS, publication dates, and vulnerability intelligence data.
Common weakness patterns include vendor risk path handling and vendor risk input validation, with potential vendor impact file overwrite and vendor impact unexpected behavior across vendor surface production workloads use cases.
| CVE | Summary | Source | Max CVSS | EPSS % | Published | Updated |
|---|---|---|---|---|---|---|
| CVE-2026-27704 | The Dart and Flutter SDKs provide software development kits for the Dart programming language. In versions of the Dart SDK prior to 3.11.0 and the Flutter SDK prior to version 3.41.0, when the pub client (`dart pub` and `flutter pub`) extracts a package in the pub cache, a malicious package archive can have files extracted outside the destination directory in the `PUB_CACHE`. A fix has been landed in commit 26c6985c742593d081f8b58450f463a584a4203a. By normalizing the file path before writing fi | [email protected] | 6.6 | 0.06% | 2026-02-25 | 2026-03-13 |
| CVE-2024-54462 | The file names constructed within image_picker are missing sanitization checks leaving them vulnerable to malicious document providers. This may result in cases where a user with a malicious document provider installed can select an image file from that provider while using your app and could potentially override internal files in your app cache. Issue patched in 0.8.12+18. It is recommended to update to the latest version of image_picker_android that contains the changes to address this vulnera | [email protected] | 2.1 | 0.04% | 2025-01-29 | 2025-07-30 |
| CVE-2024-54461 | The file names constructed within file_selector are missing sanitization checks leaving them vulnerable to malicious document providers. This may result in cases where a user with a malicious document provider installed can select a document file from that provider while using your app and could potentially override internal files in your app cache. Issue patched in 0.5.1+12. It is recommended to update to the latest version of file_selector_android that contains the changes to address this vuln | [email protected] | 2.1 | 0.04% | 2025-01-29 | 2025-07-30 |
| CVE-2022-3095 | The implementation of backslash parsing in the Dart URI class for versions prior to 2.18 and Flutter versions prior to 3.30 differs from the WhatWG URL standards. Dart uses the RFC 3986 syntax, which creates incompatibilities with the '\' characters in URIs, which can lead to auth bypass in webapps interpreting URIs. We recommend updating Dart or Flutter to mitigate the issue. | [email protected] | 9.8 | 0.11% | 2022-10-27 | 2024-11-21 |