CVE-2026-24063
8.2 HIGHWhen a plugin is installed using the Arturia Software Center (MacOS), it also installs an uninstall.sh bash script in a root owned path
Published: 2026-03-18 · Last updated: 2026-05-19
Severity and scoring
- CVSS
- 8.2 HIGH
- Vector
- CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H
- CWE
- CWE-276
Description
When a plugin is installed using the Arturia Software Center (MacOS), it also installs an uninstall.sh bash script in a root owned path. This script is written to disk with the file permissions 777, meaning it is writable by any user. When uninstalling a plugin via the Arturia Software Center the Privileged Helper gets instructed to execute this script. When the bash script is manipulated by an attacker this scenario will lead to privilege escalation.
Source: NVD
References
Related CVEs
Same CWE
- CVE-2026-50255 — Incorrect default permissions issue exists in Optical Disc Archive Software for Windows 5.5.3 and earlier (6.7 MEDIUM)
- CVE-2026-11931 — Incorrect default permissions in Kiro IDE on macOS and Linux before version 0.11.133 could expose the authentication token cache file to ... (5.5 MEDIUM)
- CVE-2026-49157 — Incorrect Default Permissions vulnerability in Apache ActiveMQ (8.8 HIGH)
- CVE-2026-48191 — An incorrect handling of permissions in STORM powered by OTRS and in OTRS (2026.x and above) Document Search Article Meta Filters modules... (3.5 LOW)
- CVE-2026-48190 — An incorrect handling of permissions in OTRS External Interface and the ConfigItem List module allows an authenticated customer to query ... (3.5 LOW)