CVE-2025-10015 — The Sparkle framework includes an XPC service Downloader.xpc, by default this service is private to the application its bundled with. A local unprivileged attacker can register this XPC service global — CVE Database · The Intelligence Room