VYPR
Vendor

Sparkle Project

Products
1
CVEs
5
Across products
5
Status
Private

Products

1

Recent CVEs

5
  • CVE-2025-10016HigSep 16, 2025
    risk 0.57cvss epss 0.00

    The Sparkle framework includes a helper tool Autoupdate. Due to lack of authentication of connecting clients a local unprivileged attacker can request installation of crafted malicious PKG file by racing to connect to the daemon when other app spawns it as root. This results…

  • CVE-2025-10015MedSep 16, 2025
    risk 0.31cvss epss 0.00

    The Sparkle framework includes an XPC service Downloader.xpc, by default this service is private to the application its bundled with. A local unprivileged attacker can register this XPC service globally which will inherit TCC permissions of the application. Lack of validation…

  • CVE-2026-47122May 29, 2026
    risk 0.00cvss epss 0.00

    ## Summary AppInstaller post-stage-1 XPC listener accepts unvalidated connections, allowing spoofed appcast item data injection. ## Details `Autoupdate/AppInstaller.m`'s `shouldAcceptNewConnection:` only enforces `SUCodeSigningVerifier validateConnection:` before stage 1…

  • CVE-2026-47121May 29, 2026
    risk 0.00cvss epss 0.00

    ## Summary Binary delta apply intermediate-symlink traversal in malicious .delta `Autoupdate/SUBinaryDeltaApply.m` enforces `relativePath.pathComponents containsObject:@".."` and rejects writes whose immediate parent directory IS itself a symbolic link, but does not detect…

  • CVE-2025-0509Feb 4, 2025
    risk 0.00cvss epss 0.01

    A security issue was found in Sparkle before version 2.6.4. An attacker can replace an existing signed update with another payload, bypassing Sparkle’s (Ed)DSA signing checks.