Swift package
github.com/sparkle-project/sparkle
pkg:swift/github.com/sparkle-project/sparkle
Vulnerabilities (3)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2026-47122 | — | <= 2.9.1 | — | May 29, 2026 | ## Summary AppInstaller post-stage-1 XPC listener accepts unvalidated connections, allowing spoofed appcast item data injection. ## Details `Autoupdate/AppInstaller.m`'s `shouldAcceptNewConnection:` only enforces `SUCodeSigningVerifier validateConnection:` before stage 1 compl | ||
| CVE-2026-47121 | — | <= 2.9.1 | — | May 29, 2026 | ## Summary Binary delta apply intermediate-symlink traversal in malicious .delta `Autoupdate/SUBinaryDeltaApply.m` enforces `relativePath.pathComponents containsObject:@".."` and rejects writes whose immediate parent directory IS itself a symbolic link, but does not detect syml | ||
| CVE-2025-0509 | Hig | 7.3 | < 2.6.4 | 2.6.4 | Feb 4, 2025 | A security issue was found in Sparkle before version 2.6.4. An attacker can replace an existing signed update with another payload, bypassing Sparkle’s (Ed)DSA signing checks. |
- CVE-2026-47122May 29, 2026affected <= 2.9.1
## Summary AppInstaller post-stage-1 XPC listener accepts unvalidated connections, allowing spoofed appcast item data injection. ## Details `Autoupdate/AppInstaller.m`'s `shouldAcceptNewConnection:` only enforces `SUCodeSigningVerifier validateConnection:` before stage 1 compl
- CVE-2026-47121May 29, 2026affected <= 2.9.1
## Summary Binary delta apply intermediate-symlink traversal in malicious .delta `Autoupdate/SUBinaryDeltaApply.m` enforces `relativePath.pathComponents containsObject:@".."` and rejects writes whose immediate parent directory IS itself a symbolic link, but does not detect syml
- affected < 2.6.4fixed 2.6.4
A security issue was found in Sparkle before version 2.6.4. An attacker can replace an existing signed update with another payload, bypassing Sparkle’s (Ed)DSA signing checks.