CVE ID :CVE-2026-40556 Published : April 28, 2026, 1:54 p.m. | 42 minutes ago Description :GNU nano creates the user’s ~/.local directory with overly permissive permissions when the directory does not exist yet. On first use of features requiring Cross-Desktop Group (XDG) data storage, nano explicitly requests directory mode 0777, making the directory world‑writable in environments where the process umask does not sufficiently restrict permissions. In systems with a relaxed or zero umask, such as container environments, CI/CD runners, embedded systems, or user shells configured with umask 000, this results in ~/.local being created as world‑writable. A local attacker can exploit a race window between nano’s creation of ~/.local and its subsequent creation of more restrictive subdirectories to write attacker‑controlled files into the victim’s XDG directory hierarchy. This problem was fixed in nano version 9.0 Severity: 2.1 | LOW Visit the link for more details, such as CVSS details, affected products, timeline, and more...