CVE-2025-15523

Source
https://cve.org/CVERecord?id=CVE-2025-15523
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-15523.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2025-15523
Downstream
Published
2026-01-22T14:45:26.404Z
Modified
2026-07-08T07:57:57.653294332Z
Severity
  • 4.8 (Medium) CVSS_V4 - CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N CVSS Calculator
Summary
TCC Bypass via Inherited Permissions in Bundled Interpreter in Inkscape.app
Details

MacOS version of Inkscape bundles a Python interpreter that inherits the Transparency, Consent, and Control (TCC) permissions granted by the user to the main application bundle. An attacker with local user access can invoke this interpreter with arbitrary commands or scripts, leveraging the application's previously granted TCC permissions to access user's files in privacy-protected folders without triggering user prompts. Accessing other resources beyond previously granted TCC permissions will prompt the user for approval in the name of Inkscape, potentially disguising attacker's malicious intent.

This issue has been fixed in 1.4.3 version of Inkscape.

Database specific
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/15xxx/CVE-2025-15523.json",
    "cna_assigner": "CERT-PL",
    "cwe_ids": [
        "CWE-276"
    ]
}
References

Affected packages

Git / gitlab.com/inkscape/inkscape

Affected ranges

Type
GIT
Repo
https://gitlab.com/inkscape/inkscape
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
Database specific
{
    "source": "AFFECTED_FIELD",
    "extracted_events": [
        {
            "introduced": "0"
        },
        {
            "fixed": "1.4.3"
        }
    ]
}

Affected versions

Other
INKSCAPE_0_91_PRE0
INKSCAPE_0_91_PRE1
INKSCAPE_0_91_PRE2
INKSCAPE_0_92_PRE0
INKSCAPE_0_92_PRE1
INKSCAPE_1_0_BETA
INKSCAPE_1_0_BETA1
INKSCAPE_1_0_BETA2
INKSCAPE_1_1_ALPHA
INKSCAPE_1_3_ALPHA
INKSCAPE_1_4
INKSCAPE_1_4_1
INKSCAPE_1_4_1_RC
INKSCAPE_1_4_2
INKSCAPE_1_4_3_RC
INKSCAPE_1_4_3_RC2
INKSCAPE_1_4_BETA
INKSCAPE_1_4_RC1

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-15523.json"