VYPR

Swift package

github.com/sparkle-project/sparkle

pkg:swift/github.com/sparkle-project/sparkle

Vulnerabilities (3)

  • CVE-2026-47122May 29, 2026
    affected <= 2.9.1

    ## Summary AppInstaller post-stage-1 XPC listener accepts unvalidated connections, allowing spoofed appcast item data injection. ## Details `Autoupdate/AppInstaller.m`'s `shouldAcceptNewConnection:` only enforces `SUCodeSigningVerifier validateConnection:` before stage 1 compl

  • CVE-2026-47121May 29, 2026
    affected <= 2.9.1

    ## Summary Binary delta apply intermediate-symlink traversal in malicious .delta `Autoupdate/SUBinaryDeltaApply.m` enforces `relativePath.pathComponents containsObject:@".."` and rejects writes whose immediate parent directory IS itself a symbolic link, but does not detect syml

  • CVE-2025-0509Feb 4, 2025
    affected < 2.6.4fixed 2.6.4

    A security issue was found in Sparkle before version 2.6.4. An attacker can replace an existing signed update with another payload, bypassing Sparkle’s (Ed)DSA signing checks.