CVE-2025-12792 LOW

CVE-2025-12792

Vendor Canva
Product Canva
Weakness CWE-276
Published November 18, 2025
Last update November 18, 2025

CVSS base score

3.2/10
Attack vector Local
Attack complexity Low
Privileges required Low
User interaction Required
Confidentiality Low
Integrity None

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:L/I:N/A:N

What the vulnerability does

01Description

The Mac App Store distribution of the Canva for Mac desktop app before 1.117.1 was built without Hardened Runtime. A local threat actor with unprivileged access could execute arbitrary code that inherits the TCC (Transparency, Consent, and Control) permissions assigned to Canva.

Key dates

02Disclosure timeline

November 18, 2025 CVE published
November 18, 2025 Record updated