Sparkle Project
Products
1- 5 CVEs
Recent CVEs
5| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2025-10016 | Hig | 0.57 | — | 0.00 | Sep 16, 2025 | The Sparkle framework includes a helper tool Autoupdate. Due to lack of authentication of connecting clients a local unprivileged attacker can request installation of crafted malicious PKG file by racing to connect to the daemon when other app spawns it as root. This results… | ||
| CVE-2025-10015 | Med | 0.31 | — | 0.00 | Sep 16, 2025 | The Sparkle framework includes an XPC service Downloader.xpc, by default this service is private to the application its bundled with. A local unprivileged attacker can register this XPC service globally which will inherit TCC permissions of the application. Lack of validation… | ||
| CVE-2026-47122 | 0.00 | — | 0.00 | May 29, 2026 | ## Summary AppInstaller post-stage-1 XPC listener accepts unvalidated connections, allowing spoofed appcast item data injection. ## Details `Autoupdate/AppInstaller.m`'s `shouldAcceptNewConnection:` only enforces `SUCodeSigningVerifier validateConnection:` before stage 1… | |||
| CVE-2026-47121 | 0.00 | — | 0.00 | May 29, 2026 | ## Summary Binary delta apply intermediate-symlink traversal in malicious .delta `Autoupdate/SUBinaryDeltaApply.m` enforces `relativePath.pathComponents containsObject:@".."` and rejects writes whose immediate parent directory IS itself a symbolic link, but does not detect… | |||
| CVE-2025-0509 | 0.00 | — | 0.01 | Feb 4, 2025 | A security issue was found in Sparkle before version 2.6.4. An attacker can replace an existing signed update with another payload, bypassing Sparkle’s (Ed)DSA signing checks. |
- risk 0.57cvss —epss 0.00
The Sparkle framework includes a helper tool Autoupdate. Due to lack of authentication of connecting clients a local unprivileged attacker can request installation of crafted malicious PKG file by racing to connect to the daemon when other app spawns it as root. This results…
- risk 0.31cvss —epss 0.00
The Sparkle framework includes an XPC service Downloader.xpc, by default this service is private to the application its bundled with. A local unprivileged attacker can register this XPC service globally which will inherit TCC permissions of the application. Lack of validation…
- CVE-2026-47122May 29, 2026risk 0.00cvss —epss 0.00
## Summary AppInstaller post-stage-1 XPC listener accepts unvalidated connections, allowing spoofed appcast item data injection. ## Details `Autoupdate/AppInstaller.m`'s `shouldAcceptNewConnection:` only enforces `SUCodeSigningVerifier validateConnection:` before stage 1…
- CVE-2026-47121May 29, 2026risk 0.00cvss —epss 0.00
## Summary Binary delta apply intermediate-symlink traversal in malicious .delta `Autoupdate/SUBinaryDeltaApply.m` enforces `relativePath.pathComponents containsObject:@".."` and rejects writes whose immediate parent directory IS itself a symbolic link, but does not detect…
- CVE-2025-0509Feb 4, 2025risk 0.00cvss —epss 0.01
A security issue was found in Sparkle before version 2.6.4. An attacker can replace an existing signed update with another payload, bypassing Sparkle’s (Ed)DSA signing checks.