Neon appears to be shipping Flatpak 1.11.3, which was a development release and is unsupported by upstream. It is vulnerable to at least CVE-2021-41133, CVE-2021-43860 and CVE-2022-21682. (I am not a Neon user myself, I'm basing this on https://invent.kde.org/neon/backports-focal/flatpak and https://repology.org/project/flatpak/versions) If Flatpak is sufficiently important for Neon to be backporting it, please use the latest version from a stable branch and keep it up to date. Flatpak stable branches are versioned x.y.z where y is divisible by 2 (such as 1.12.z and 1.10.z). If Neon is based on Ubuntu LTS, you might find https://launchpad.net/~flatpak/+archive/ubuntu/stable useful: it contains semi-official backports of current Flatpak to various LTS branches of Ubuntu. The 1.11.z stable branch was a series of development releases leading to the 1.12.0 stable release, and will not receive any further releases. There is no upstream security support for old development branches.
building.. https://invent.kde.org/neon/backports-focal/flatpak/commit/d9d7ea536a7f35db0e9f740b1cbb60011ad0ca0b Thanks for the bug, we are sadly not very automated in our backports and as we come into the second year of the ubuntu LTS base we need more of them so it's an easy aspect to get behind on.
updated version in now