Approved changes feed: RSS · Atom

cpe:2.3:a:arduino:arduino-ide:*:*:*:*:*:*:*:*

part: a version: * update: *

VendorArduino (a6c9e11a-439e-5c89-be14-a8208b9cb88c)
ProductArduino Ide (c2c295e4-bc03-576a-b073-64226bf2ab2e)
Edition*
Language*
Software edition*
Target software*
Target hardware*
Other*
NotesImported from gcve-enriched-dumps CVE data

PURL mappings

PURLSourceLast updated
No PURL mappings for this CPE yet.

Vulnerability references

IdentifiercpeApplicabilitySubmitteddb.gcve.eu detailsRationale
CVE:CVE-2025-64724 vulnerable 2026-06-08 07:39:20.201004 Arduino IDE for macOS has Insecure File Permissions
Arduino IDE is an integrated development environment. Prior to version 2.3.7, Arduino IDE for macOS is installed with world-writable file permissions on sensitive application components, allowing any local user to replace legitimate files with malicious code. When another user launches the application, the malicious code executes with that user's privileges, enabling privilege escalation and unauthorized access to sensitive data. The fix is included starting from the `2.3.7` release.
Published: 2025-12-18T15:18:39.642Z
Updated: 2025-12-18T19:06:40.437Z
Reference links
Imported from gcve-enriched-dumps CVE data
CVE:CVE-2025-64723 vulnerable 2026-06-08 07:39:20.199770 Arduino IDE for macOS has TCC Bypass via Dynamic Library Injection
Arduino IDE is an integrated development environment. Prior to version 2.3.7, Arduino IDE for macOS was configured with overly permissive security entitlements that could bypass macOS Hardened Runtime protections. This configuration allows attackers to inject malicious dynamic libraries into the application process, gaining access to all TCC (Transparency, Consent, and Control) permissions granted to the application. The fix is included starting from the `2.3.7 ` release.
Published: 2025-12-18T15:15:15.883Z
Updated: 2026-01-14T16:41:03.867Z
Reference links
Imported from gcve-enriched-dumps CVE data
CVE:CVE-2025-27608 vulnerable 2026-06-08 07:14:55.368282 Self Cross-Site Scripting in Arduino IDE
Arduino IDE 2.x is an IDE based on the Theia IDE framework and built with Electron. A Self Cross-Site Scripting (XSS) vulnerability has been identified within the Arduino-IDE prior to version v2.3.5. The vulnerability occurs in the Additional Board Manager URLs field, which can be found in the Preferences -> Settings section of the Arduino IDE interface. In the vulnerable versions, any values entered in this field are directly displayed to the user through a notification tooltip object, without a proper output encoding routine, due to the underlying ElectronJS engine interpretation. This vulnerability exposes the input parameter to Self-XSS attacks, which may lead to security risks depending on where the malicious payload is injected. This vulnerability is fixed in 2.3.5.
Published: 2025-04-02T21:09:16.943Z
Updated: 2025-04-03T14:01:53.189Z
Reference links
Imported from gcve-enriched-dumps CVE data

Contribute

You can submit an edit proposal for this CPE entry or suggest a related product/vendor addition using the action button above.