CVE-2025-4280 TCC Bypass via Inherited Permissions in Bundled Interpreter in Poedit.app

MacOS version of Poedit bundles a Python interpreter that inherits the Transparency, Consent, and Control TCC permissions granted by the user to the main application bundle. An attacker with local user access can invoke this interpreter with arbitrary commands or scripts, leveraging the...

PT-2025-22454 · Poedit · Poedit

Name of the Vulnerable Software and Affected Versions: Poedit versions prior to 3.6.3 Description: The MacOS version of Poedit bundles a Python interpreter that inherits the Transparency, Consent, and Control TCC permissions granted by the user to the main application bundle. An attacker with loc...

Poedit 安全漏洞

Poedit is a translation editor for Mac, Windows and Unix by the individual developer Václav Slavík. A security vulnerability exists in Poedit versions 2.0 through prior to 3.6.3 that stems from the bundled Python interpreter inheriting TCC permissions, which could lead to local users accessing...

[SECURITY] [DLA 4087-1] python3.9 security update

Debian LTS Advisory DLA-4087-1 [email protected] https://www.debian.org/lts/security/ Sean Whitton March 20, 2025 https://wiki.debian.org/LTS Package : python3.9 Version : 3.9.2-1+deb11u3 CVE ID : CVE-2022-0391 CVE-2025-0938 CVE-2025-1795 Multiple vulnerabilities were discovered in...

Linux Distros Unpatched Vulnerability : CVE-2023-37271

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - RestrictedPython is a tool that helps to define a subset of the Python language which allows users to provide a program input into a trusted environment...

[SECURITY] Fedora 41 Update: python3.11-3.11.11-5.fc41

Python 3.11 is an accessible, high-level, dynamically typed, interpreted programming language, designed with an emphasis on code readability. It includes an extensive standard library, and has a vast ecosystem of third-party libraries. The python3.11 package provides the "python3.11" executable:...

[SECURITY] Fedora 41 Update: python3-docs-3.13.2-1.fc41

The python3-docs package contains documentation on the Python 3 programming language and interpreter...

Advisory ROSA-SA-2025-2676

software: python3 3.8.13 WASP: ROSA-CHROME packageevrstring: python3-3.8.13-6 CVE-ID: CVE-2020-10735 BDU-ID: 2022-05599 CVE-Crit: MEDIUM. CVE-DESC.: A vulnerability in the Python programming language interpreter is related to errors in the conversion of int and str data types. Exploitation of the...

Access of Resource Using Incompatible Type ('Type Confusion')

Overview RestrictedPython is a RestrictedPython is a defined subset of the Python language which allows to provide a program input into a trusted environment. Affected versions of this package are vulnerable to Access of Resource Using Incompatible Type 'Type Confusion' due to a type confusion bu...

Ubuntu needrestart Privilege Escalation

Local attackers can execute arbitrary code as root by tricking needrestart into running the Python interpreter with an attacker-controlled PYTHONPATH environment variable. Verified against Ubuntu 22.04 with needrestart 3.5-5ubuntu2.1 Attempted exploitation against Debian 12, expliotation failed...

CLSA-2024-1734028058 Fix CVE(s): CVE-2024-11003, CVE-2024-48990, CVE-2024-48991, CVE-2024-48992

SECURITY UPDATE: Prevent running the Python interpreter with an attacker-controlled PYTHONPATH environment variable - debian/patches/CVE-2024-48990-CVE-2024-48991.patch: do not set PYTHONPATH environment variable to prevent a LPE and prevent race condition on /proc/$PID/exec evaluation -...

Astra Linux - уязвимость в needrestart

Qualys discovered that needrestart, before version 3.8, allows local attackers to execute arbitrary code as root by winning a race condition and tricking needrestart into running their own, fake Python interpreter instead of the system's real Python interpreter. The initial security fix 6ce6136...

SUSE CVE-2024-48991

Qualys discovered that needrestart, before version 3.8, allows local attackers to execute arbitrary code as root by winning a race condition and tricking needrestart into running their own, fake Python interpreter instead of the system's real Python interpreter. The initial security fix 6ce6136...

Decades-Old Security Vulnerabilities Found in Ubuntu's Needrestart Package

Multiple decade-old security vulnerabilities have been disclosed in the needrestart package installed by default in Ubuntu Server since version 21.04 that could allow a local attacker to gain root privileges without requiring user interaction. The Qualys Threat Research Unit TRU, which identified...

CVE-2024-48991

Qualys discovered that needrestart, before version 3.8, allows local attackers to execute arbitrary code as root by winning a race condition and tricking needrestart into running their own, fake Python interpreter instead of the system's real Python interpreter. The initial security fix 6ce6136...

CVE-2024-48991

Qualys discovered that needrestart, before version 3.8, allows local attackers to execute arbitrary code as root by winning a race condition and tricking needrestart into running their own, fake Python interpreter instead of the system's real Python interpreter. The initial security fix 6ce6136...

DEBIAN-CVE-2024-48991

Qualys discovered that needrestart, before version 3.8, allows local attackers to execute arbitrary code as root by winning a race condition and tricking needrestart into running their own, fake Python interpreter instead of the system's real Python interpreter. The initial security fix 6ce6136...

CVE-2024-48990

Qualys discovered that needrestart, before version 3.8, allows local attackers to execute arbitrary code as root by tricking needrestart into running the Python interpreter with an attacker-controlled PYTHONPATH environment variable...

USN-7117-1 Several security issues were fixed in needrestart and Module::ScanDeps

Qualys discovered that needrestart passed unsanitized data to a library libmodule-scandeps-perl which expects safe input. A local attacker could possibly use this issue to execute arbitrary code as root. CVE-2024-11003 Qualys discovered that the library libmodule-scandeps-perl incorrectly parsed...

CVE-2024-48991

Qualys discovered that needrestart, before version 3.8, allows local attackers to execute arbitrary code as root by winning a race condition and tricking needrestart into running their own, fake Python interpreter instead of the system's real Python interpreter. The initial security fix 6ce6136...