CVE-2025-11921

iStats contains an insecure XPC service that allows local, unprivileged users to escalate their privileges to root via command injection.This issue affects iStats: 7.10.4.
Command Injection
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
UNKNOWN
---
Fluid AttacksCNA
---
---
CISA-ADPADP
---
---
Awaiting analysis
This vulnerability is currently awaiting analysis.
Base Score
CVSS 3.x
EPSS Score
Percentile: 43%
Common Weakness Enumeration
References
https://bjango.com/mac/istatmenus/
https://cdn.istatmenus.app/files/istatmenus7/versions/iStatMenus7.10.6.zip
https://fluidattacks.com/advisories/muse