Aggregates CVE and security vulnerability intelligence across all arduino-related products, including CVSS, EPSS, publication dates, and vulnerability intelligence data.
Historical issues mainly involve vendor risk path handling and vendor risk cross-site scripting and related problems; some flaws may lead to vendor impact file overwrite and vendor impact session compromise.
| CVE | Summary | Source | Max CVSS | EPSS % | Published | Updated |
|---|---|---|---|---|---|---|
| CVE-2026-25933 | Arduino App Lab is a cross-platform IDE for developing Arduino Apps. Prior to 0.4.0, a vulnerability was identified in the Terminal component of the arduino-app-lab application. The issue stems from insufficient sanitization and validation of input data received from connected hardware devices, specifically in the _info.Serial and _info.Address metadata fields. The problem occurs during device information handling. When a board is connected, the application collects identifying attributes to est | [email protected] | 6.8 | 0.03% | 2026-02-12 | 2026-02-19 |
| CVE-2025-64724 | Arduino IDE is an integrated development environment. Prior to version 2.3.7, Arduino IDE for macOS is installed with world-writable file permissions on sensitive application components, allowing any local user to replace legitimate files with malicious code. When another user launches the application, the malicious code executes with that user's privileges, enabling privilege escalation and unauthorized access to sensitive data. The fix is included starting from the `2.3.7` release. | [email protected] | 4.8 | 0.01% | 2025-12-18 | 2026-02-19 |
| CVE-2025-64723 | Arduino IDE is an integrated development environment. Prior to version 2.3.7, Arduino IDE for macOS was configured with overly permissive security entitlements that could bypass macOS Hardened Runtime protections. This configuration allows attackers to inject malicious dynamic libraries into the application process, gaining access to all TCC (Transparency, Consent, and Control) permissions granted to the application. The fix is included starting from the `2.3.7 ` release. | [email protected] | 4.8 | 0.01% | 2025-12-18 | 2026-02-19 |
| CVE-2023-49296 | The Arduino Create Agent allows users to use the Arduino Create applications to upload code to any USB connected Arduino board directly from the browser. A vulnerability in versions prior to 1.3.6 affects the endpoint `/certificate.crt` and the way the web interface of the ArduinoCreateAgent handles custom error messages. An attacker that is able to persuade a victim into clicking on a malicious link can perform a Reflected Cross-Site Scripting attack on the web interface of the create agent, wh | [email protected] | 6.3 | 0.45% | 2023-12-13 | 2024-11-21 |
| CVE-2023-43801 | Arduino Create Agent is a package to help manage Arduino development. This vulnerability affects the endpoint `/v2/pkgs/tools/installed` and the way it handles plugin names supplied as user input. A user who has the ability to perform HTTP requests to the localhost interface, or is able to bypass the CORS configuration, can delete arbitrary files or folders belonging to the user that runs the Arduino Create Agent via a crafted HTTP DELETE request. This issue has been addressed in version `1.3.3` | [email protected] | 6.1 | 0.03% | 2023-10-18 | 2024-11-21 |
| CVE-2023-43800 | Arduino Create Agent is a package to help manage Arduino development. The vulnerability affects the endpoint `/v2/pkgs/tools/installed`. A user who has the ability to perform HTTP requests to the localhost interface, or is able to bypass the CORS configuration, can escalate his privileges to those of the user running the Arduino Create Agent service via a crafted HTTP POST request. This issue has been addressed in version `1.3.3`. Users are advised to upgrade. There are no known workarounds for | [email protected] | 7.3 | 0.02% | 2023-10-18 | 2024-11-21 |
| CVE-2023-43803 | Arduino Create Agent is a package to help manage Arduino development. This vulnerability affects the endpoint `/v2/pkgs/tools/installed` and the way it handles plugin names supplied as user input. A user who has the ability to perform HTTP requests to the localhost interface, or is able to bypass the CORS configuration, can delete arbitrary files or folders belonging to the user that runs the Arduino Create Agent via a crafted HTTP POST request. This issue has been addressed in version `1.3.3`. | [email protected] | 6.1 | 0.02% | 2023-10-18 | 2024-11-21 |
| CVE-2023-43802 | Arduino Create Agent is a package to help manage Arduino development. This vulnerability affects the endpoint `/upload` which handles request with the `filename` parameter. A user who has the ability to perform HTTP requests to the localhost interface, or is able to bypass the CORS configuration, can escalate their privileges to those of the user running the Arduino Create Agent service via a crafted HTTP POST request. This issue has been addressed in version `1.3.3`. Users are advised to upgrad | [email protected] | 7.1 | 0.08% | 2023-10-18 | 2024-11-21 |
| CVE-2019-13991 | Embedded systems based on Arduino before Rev3 allow remote attackers to send data to LEDs (directly connected to GPIO pins) via a laser, because of LED photosensitivity. | [email protected] | 6.5 | 0.12% | 2019-07-19 | 2024-11-21 |