VYPR

Arc

by Arc

CVEs (19)

  • CVE-2024-45489CriSep 20, 2024
    risk 0.64cvss 9.8epss 0.01

    Arc before 2024-08-26 allows remote code execution in JavaScript boosts. Boosts that run JavaScript cannot be shared by default; however (because of misconfigured Firebase ACLs), it is possible to create or update a boost using another user's ID. This installs the boost in the…

  • CVE-2024-31850HigApr 5, 2024
    risk 0.63cvss 8.6epss 0.03

    A path traversal vulnerability exists in the Java version of CData Arc < 23.4.8839 when running using the embedded Jetty server, which could allow an unauthenticated remote attacker to gain access to sensitive information and perform limited actions.

  • CVE-2023-5938HigMay 15, 2024
    risk 0.52cvss 8.0epss 0.01

    Multiple functions use archives without properly validating the filenames therein, rendering the application vulnerable to path traversal via 'zip slip' attacks. An administrator able to provide tampered archives to be processed by the affected versions of Arc may be able to…

  • CVE-2023-50809HigAug 12, 2024
    risk 0.51cvss 7.8epss 0.00

    In certain Sonos products before S1 Release 11.12 and S2 release 15.9, the mt_7615.ko wireless driver does not properly validate an information element during negotiation of a WPA2 four-way handshake. This lack of validation leads to a stack buffer overflow. This can result in…

  • CVE-2023-5936HigMay 15, 2024
    risk 0.51cvss 7.8epss 0.00

    On Unix systems (Linux, MacOS), Arc uses a temporary file with unsafe privileges. By tampering with such file, a malicious local user in the system may be able to trigger arbitrary code execution with root privileges.

  • CVE-2026-2378HigMar 20, 2026
    risk 0.48cvss 7.4epss 0.00

    ArcSearch for Android versions prior to 1.12.7 could display a different domain in the address bar than the content being shown, enabling address bar spoofing after user interaction via crafted web content.

  • CVE-2025-14809HigDec 19, 2025
    risk 0.48cvss 7.4epss 0.00

    ArcSearch for Android versions prior to 1.12.6 could display a different domain in the address bar than the content being shown, enabling address bar spoofing after user interaction via crafted web content.

  • CVE-2023-5935HigMay 15, 2024
    risk 0.48cvss 7.4epss 0.00

    When configuring Arc (e.g. during the first setup), a local web interface is provided to ease the configuration process. Such web interface lacks authentication and may thus be abused by a local attacker or malware running on the machine itself. A malicious local user or…

  • CVE-2026-47735higJun 8, 2026
    risk 0.39cvss epss 0.00

    ### Summary Arc's user-SQL validator (`internal/api/query.go:ValidateSQLRequest`) blocked only `read_parquet(` and `arc_partition_agg(` via regex denylist. The broader DuckDB I/O function family — `read_csv_auto`, `read_csv`, `read_json`, `read_json_auto`, `read_text`,…

  • CVE-2023-5937LowMay 15, 2024
    risk 0.25cvss 3.8epss 0.00

    On Windows systems, the Arc configuration files resulted to be world-readable. This can lead to information disclosure by local attackers, via exfiltration of sensitive data from configuration files.

  • CVE-2024-52928Jun 26, 2025
    risk 0.00cvss epss 0.00

    Arc before 1.26.1 on Windows has a bypass issue in the site settings that allows websites (with previously granted permissions) to add new permissions when the user clicks anywhere on the website.

  • CVE-2012-5872Apr 25, 2023
    risk 0.00cvss epss 0.01

    ARC (aka ARC2) through 2011-12-01 allows blind SQL Injection in getTriplePatternSQL in ARC2_StoreSelectQueryHandler.php via comments in a SPARQL WHERE clause.

  • CVE-2021-45891Apr 5, 2022
    risk 0.00cvss epss 0.01

    An issue was discovered in Softwarebuero Zauner ARC 4.2.0.4., that allows attackers to escalate privileges within the application, since all permission checks are done client-side, not server-side.

  • CVE-2021-45892Apr 5, 2022
    risk 0.00cvss epss 0.01

    An issue was discovered in Softwarebuero Zauner ARC 4.2.0.4. There is storage of Passwords in a Recoverable Format.

  • CVE-2021-45893Apr 5, 2022
    risk 0.00cvss epss 0.02

    An issue was discovered in Softwarebuero Zauner ARC 4.2.0.4. There is Improper Handling of Case Sensitivity, which makes password guessing easier.

  • CVE-2021-45894Apr 5, 2022
    risk 0.00cvss epss 0.01

    An issue was discovered in Softwarebuero Zauner ARC 4.2.0.4. There is Cleartext Transmission of Sensitive Information.

  • CVE-2015-9275Jan 7, 2019
    risk 0.00cvss epss 0.02

    ARC 5.21q allows directory traversal via a full pathname in an archive file.

  • CVE-2005-2992Oct 13, 2005
    risk 0.00cvss epss 0.00

    arc 5.21j and earlier allows local users to overwrite arbitrary files via a symlink attack on temporary files, a different type of vulnerability than CVE-2005-2945.

  • CVE-2005-2945Sep 16, 2005
    risk 0.00cvss epss 0.00

    arc 5.21j and earlier create temporary files with world-readable permissions, which allows local users to read sensitive information from files created by (1) arc (arc.c) or (2) marc (marc.c).