X-VPN macOS website versions - Local Privilege Escalation
CVE-2026-2638

7.3HIGH

Key Information:

Vendor: X-vpn
Status: X-vpn Mac OS Website
Vendor: CVE Published:; 9 June 2026

What is CVE-2026-2638?

A vulnerability in the quarantine and restore workflow of the X-VPN macOS website versions 77.0 through 77.5 allow a local attacker to leverage a race condition and symlink manipulation to achieve privileged file corruption.

Affected Version(s)

X-VPN macOS website MacOS 77.0 <= 77.5

References

https://fluidattacks.com/es/advisories/soad

third-party-advisory

https://xvpn.io/resources/statement-local-privilege-escal...

vendor-advisory

https://xvpn.io/download/vpn-mac

patch

CVSS V4

Score:

7.3

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Local

Attack Complexity:

Low

Attack Required:

Physical

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 9, 2026
Vulnerability Reserved
Feb 17, 2026

Credit

Oscar Uribe

CVE-2026-2638 Data

JSON

X-vpn

What is CVE-2026-2638?

Affected Version(s)

References

CVSS V4

Timeline

Credit