CVE-2026-2638 PUBLISHED

X-VPN macOS website versions - Local Privilege Escalation

Assigner: Fluid Attacks
Reserved: 17.02.2026 Published: 09.06.2026 Updated: 09.06.2026

A vulnerability in the quarantine and restore workflow of the X-VPN macOS website versions 77.0 through 77.5 allow a local attacker to leverage a race condition and symlink manipulation to achieve privileged file corruption.

Metrics

CVSS 4.0

CVSS Vector: CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
CVSS Score: 7.3

Exploitability Metrics		Vulnerable System Impact Metrics		Subsequent System Impact Metrics
Attack Vector	Local	Confidentiality	High	Confidentiality	None
Attack Complexity	Low	Integrity	High	Integrity	None
Attack Requirements	Present	Availability	High	Availability	None
Privileges Required	Low
User Interaction	None

CVSS 4.0

Product Status

Vendor	X-VPN
Product	X-VPN macOS website
Versions	Default: unaffected affected from 77.0 to 77.5 (incl.)

Credits

Oscar Uribe finder

References

Problem Types

CWE-367 Time-of-check Time-of-use (TOCTOU) Race Condition CWE

Impacts

CAPEC-233 Privilege Escalation