CVE-2025-12792

EUVD-2025-197904
The Mac App Store distribution of the Canva for Mac desktop app before 1.117.1 was built without Hardened Runtime. A local threat actor with unprivileged access could execute arbitrary code that inherits the TCC (Transparency, Consent, and Control) permissions assigned to Canva.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
BugcrowdCNA
3.2 LOW
LOCAL
LOW
LOW
CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:L/I:N/A:N
Base Score
CVSS 3.x
EPSS Score
Percentile: Unknown
Early Detection
Affected products identified ahead of NVD analysis through intelligence sources.
VendorProductVersionSource
canvacanva
𝑥
< 1.117.1
CNA
Common Weakness Enumeration
References
https://trust.canva.com/?tcuUid=1e77a34b-f586-450b-b30d-b6e17d15b443