CVE-2025-4280

MacOS version of Poedit bundles aPython interpreter that inherits the Transparency, Consent, and Control (TCC) permissions
granted by the user to the main application bundle. An attacker with local user access can
invoke this interpreter with arbitrary commands or scripts, leveraging the
application's previously granted TCC permissions to access user's files in privacy-protected folders without triggering user prompts. Accessing other resources beyond previously granted TCC permissions will prompt the user for approval in the name of Poedit, potentially disguising attacker's malicious intent.

This issue has been fixed in 3.6.3 version of Poedit.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
UNKNOWN
---
CERT-PLCNA
---
---
CISA-ADPADP
---
---
Awaiting analysis
This vulnerability is currently awaiting analysis.
Base Score
CVSS 3.x
EPSS Score
Percentile: Unknown
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
poedit
plucky
not-affected
oracular
not-affected
noble
not-affected
jammy
not-affected
focal
not-affected
bionic
not-affected
xenial
not-affected
Common Weakness Enumeration
References
https://cert.pl/en/posts/2025/05/CVE-2025-4280
https://cert.pl/posts/2025/05/CVE-2025-4280
https://github.com/vslavik/poedit
https://github.com/vslavik/poedit/security/advisories/GHSA-8fcw-v6gr-hp34
https://poedit.net