CVE-2021-40531

CRITICAL

Sketch < 75 - Remote Code Execution via Library Feed File Quarantine Bypass

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2021-40531. PoCs published by jonpalmisc.

AI-analyzed exploit summary This repository contains a writeup and demonstration of CVE-2021-40531, a macOS quarantine bypass vulnerability in Sketch that can lead to remote code execution. The README provides context and references a blog post for detailed technical analysis.

Description

Sketch before 75 allows library feeds to be used to bypass file quarantine. Files are automatically downloaded and opened, without the com.apple.quarantine extended attribute. This results in remote code execution, as demonstrated by CommandString in a terminal profile to Terminal.app.

Exploits (1)

nomisec WRITEUP 13 stars
by jonpalmisc · poc
https://github.com/jonpalmisc/CVE-2021-40531

This repository contains a writeup and demonstration of CVE-2021-40531, a macOS quarantine bypass vulnerability in Sketch that can lead to remote code execution. The README provides context and references a blog post for detailed technical analysis.

Classification
Writeup 90%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Sketch (macOS UI/UX design app)
No auth needed
Prerequisites: Victim interaction (e.g., opening a malicious file) · Web server running on port 8080 for local testing
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (2)

Core 2
Core References
Patch, Release Notes, Vendor Advisory x_refsource_misc
https://www.sketch.com/updates/#version-75
Exploit, Third Party Advisory x_refsource_misc
https://jonpalmisc.com/2021/11/22/cve-2021-40531

Scores

CVSS v3 9.8
EPSS 0.3276
EPSS Percentile 98.1%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

CWE
CWE-434
Status published
Products (1)
sketch/sketch < 75
Published Sep 06, 2021
Tracked Since Feb 18, 2026