CVE-2026-27704
CVE-2026-27704 is a high-severity vulnerability in Dart Dart Software Development Kit with a CVSS 3.x base score of 7.5. It is not currently listed as actively exploited by CISA, and its EPSS exploit-prediction score is low. The underlying weakness is classified as CWE-22.
Key facts
- Severity: High (CVSS 3.x base score 7.5)
- CVSS v4: 6.6
- EPSS exploit prediction: 0% (28th percentile)
- Actively exploited: Not listed in CISA KEV
- EU (EUVD) id: EUVD-2026-8647
- Weakness: CWE-22
- Affected product: Dart Dart Software Development Kit
- Published:
- Last modified:
Description
The Dart and Flutter SDKs provide software development kits for the Dart programming language. In versions of the Dart SDK prior to 3.11.0 and the Flutter SDK prior to version 3.41.0, when the pub client (`dart pub` and `flutter pub`) extracts a package in the pub cache, a malicious package archive can have files extracted outside the destination directory in the `PUB_CACHE`. A fix has been landed in commit 26c6985c742593d081f8b58450f463a584a4203a. By normalizing the file path before writing file, the attacker can no longer traverse up via a symlink. This patch is released in Dart 3.11.0 and Flutter 3.41.0.vAll packages on pub.dev have been vetted for this vulnerability. New packages are no longer allowed to contain symlinks. The pub client itself doesn't upload symlinks, but duplicates the linked entry, and has been doing this for years. Those whose dependencies are all from pub.dev, third-party repositories trusted to not contain malicious code, or git dependencies are not affected by this vulnerability.
Frequently asked questions
- What is CVE-2026-27704?
- The Dart and Flutter SDKs provide software development kits for the Dart programming language. In versions of the Dart SDK prior to 3.11.0 and the Flutter SDK prior to version 3.41.0, when the pub client (`dart pub` and `flutter pub`) extracts a package in the pub cache, a malicious package archive can have files extracted outside the destination directory in the `PUB_CACHE`. A fix has been landed in commit 26c6985c742593d081f8b58450f463a584a4203a. By normalizing the file path before writing file, the attacker can no longer traverse up via a symlink. This patch is released in Dart 3.11.0 and Flutter 3.41.0.vAll packages on pub.dev have been vetted for this vulnerability. New packages are no longer allowed to contain symlinks. The pub client itself doesn't upload symlinks, but duplicates the linked entry, and has been doing this for years. Those whose dependencies are all from pub.dev, third-party repositories trusted to not contain malicious code, or git dependencies are not affected by this vulnerability.
- How severe is CVE-2026-27704?
- CVE-2026-27704 has a CVSS 3.x base score of 7.5, rated high severity. It is exploitable over network with low attack complexity, requires no privileges and no user interaction. Impact on confidentiality is high, integrity none, and availability none.
- Is CVE-2026-27704 being actively exploited?
- It is not currently listed in CISA's KEV catalog. Its EPSS exploit-prediction score is 0% (28th percentile), an estimate of the probability of exploitation in the next 30 days.
- What products are affected by CVE-2026-27704?
- CVE-2026-27704 primarily affects Dart Dart Software Development Kit. In total, 2 product configurations (CPEs) are listed as vulnerable; see the affected-products list for the exact versions.
- How do I fix CVE-2026-27704?
- Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround. Given its high severity, prioritise patching exposed systems.
- Does CVE-2026-27704 have an EU (EUVD) identifier?
- Yes. CVE-2026-27704 is tracked in the ENISA EU Vulnerability Database (EUVD) as EUVD-2026-8647.
- When was CVE-2026-27704 published?
- CVE-2026-27704 was published on 2026-02-25 and last updated on 2026-06-17.
References
- https://github.com/dart-lang/pub/commit/26c6985c742593d081f8b58450f463a584a4203a
- https://github.com/dart-lang/sdk/security/advisories/GHSA-q739-79rh-vmvp
Affected products (2)
- cpe:2.3:a:dart:dart_software_development_kit:*:*:*:*:*:*:*:*
- cpe:2.3:a:flutter:flutter:*:*:*:*:*:*:*:*
More vulnerabilities in Dart Dart Software Development Kit
- CVE-2022-3095 — Critical (CVSS 9.8): The implementation of backslash parsing in the Dart URI class for versions prior to 2.18 and Flutter versions prior to…
- CVE-2021-22568 — High (CVSS 8.8): When using the dart pub publish command to publish a package to a third-party package server, the request would be…
- CVE-2022-0451 — Medium (CVSS 6.5): Dart SDK contains the HTTPClient in dart:io library whcih includes authorization headers when handling cross origin…
- CVE-2021-22540 — Medium (CVSS 6.1): Bad validation logic in the Dart SDK versions prior to 2.12.3 allow an attacker to use an XSS attack via DOM…
- CVE-2020-8923 — Medium (CVSS 5.4): An improper HTML sanitization in Dart versions up to and including 2.7.1 and dev versions 2.8.0-dev.16.0, allows an…
- CVE-2021-22567 — Medium (CVSS 4.6): Bidirectional Unicode text can be interpreted and compiled differently than how it appears in editors which can be…
All CVEs affecting Dart Dart Software Development Kit →
Other CWE-22 (Path Traversal) vulnerabilities
- CVE-2026-48282 — Critical (CVSS 10.0): ColdFusion versions 2025.9, 2023.20 and earlier are affected by an Improper Limitation of a Pathname to a Restricted…
- CVE-2026-54917 — Critical (CVSS 10.0): SeaweedFS is a distributed storage system for object storage (S3), file systems, and Iceberg tables. Prior to 4.30, the…
- CVE-2026-11429 — Critical (CVSS 10.0): Two endpoints in the Vault Service ScriptsController, shared by Altium Enterprise Server and Altium 365, accept file…
- CVE-2026-34909 — Critical (CVSS 10.0): A malicious actor with access to the network could exploit a Path Traversal vulnerability found in UniFi OS devices to…
- CVE-2026-7411 — Critical (CVSS 10.0): In Eclipse BaSyx Java Server SDK versions prior to 2.0.0-milestone-10, inadequate path normalization in the Submodel…
- CVE-2026-36767 — Critical (CVSS 10.0): A path traversal vulnerability in the /content/images/add endpoint of shopizer v3.2.5 allows attackers write arbitrary…