CVE-2026-10037
HIGHCVSS v3.1: 8.8
Source data as of:
At a glance
- Severity
- HIGH
- CVSS
- 8.8 v3.1 · NVD
- EPSS
- EPSS not provided by FIRST.org for this CVE
- CISA KEV
- No
- Type
- Improper Input Validation · NVD CWE
- Attack conditions (CVSS vector)
- No user interaction · Source: NVD Vector
- Published
- 2026-07-08 · Modified: 2026-07-08
- References
- Jump to references (1)
CVSS / EPSS / KEV
Source — CVSS: NVD · EPSS: FIRST.org · KEV: CISA. Data & Sources
Description
A sandbox escape vulnerability exists in the OpenJDK packages provided in Ubuntu. The .jar MIME handlers installed by these packages execute files marked as executable when the mailcap package is installed. A compromised or malicious sandboxed application with access to the OpenURI portal via xdg-desktop-portal-gtk can write a malicious .jar file to the host file system, set its executable bit, and trigger the handler to execute arbitrary code outside of the sandbox environment.
References
Reference URLs as listed by NVD, grouped by a mechanical match on the link's host/pattern. Labels describe the link type only.