SecureDrop Client Flaw Enables Remote Code Execution from Compromised Server
A high-severity vulnerability, CVE-2026-35465, has been identified in SecureDrop Client versions 0.17.4 and earlier. This flaw could allow a compromised SecureDrop Server to execute code on the client's virtual machine. The issue arises from improper filename validation during gzip archive extraction, potentially leading to the overwriting of critical files. The vulnerability has since been fixed in SecureDrop Client version 0.17.5.
Want more?
Open NewsSnap.ai for the full app experience, including audio, personalization, and more news tools.