Skip to main content
CVE-2026-28857 MEDIUM PATCH This Month

This vulnerability affects Apple's Safari browser and related Apple operating systems (iOS, iPadOS, macOS Tahoe, and visionOS) due to improper memory handling when processing maliciously crafted web content. The flaw can lead to unexpected process crashes, resulting in a denial of service condition affecting all users of the impacted Safari versions and OS versions below 26.4. While no CVSS score or EPSS data is currently published, the vulnerability has been patched by Apple, suggesting it was discovered through internal security review or responsible disclosure rather than active exploitation.

Apple Information Disclosure Buffer Overflow Ios And Ipados Visionos
NVD VulDB
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-32541 MEDIUM This Month

Improper access control in Premmerce Redirect Manager through version 1.0.12 permits authenticated users to bypass authorization checks and manipulate redirect configurations. An attacker with valid credentials could exploit this vulnerability to modify, view, or delete redirects they should not have access to, potentially affecting website traffic and user experience. A patch is not currently available.

Authentication Bypass Premmerce Redirect Manager
NVD VulDB
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-32535 MEDIUM This Month

JS Help Desk (JoomSky) versions up to 3.0.3 contain an authorization bypass vulnerability caused by insecure direct object references (IDOR) and incorrectly configured access control security levels. An attacker with minimal or no privileges can exploit user-controlled keys in API requests or direct object references to access, modify, or view unauthorized help desk tickets, user data, and support resources. While no CVSS score is currently assigned and KEV/EPSS data are unavailable, the vulnerability has been publicly reported by Patchstack with reference documentation available.

Authentication Bypass Js Help Desk
NVD VulDB
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-32533 MEDIUM This Month

An authorization bypass vulnerability exists in LatePoint versions up to and including 5.2.6 that allows attackers to exploit incorrectly configured access control security levels through user-controlled key manipulation. This Insecure Direct Object Reference (IDOR) vulnerability enables attackers without proper authentication or authorization to access resources they should not have permission to view or modify. The vulnerability affects the LatePoint WordPress plugin and has been documented by Patchstack with proof-of-concept details available, making it a practical exploitation risk for unpatched installations.

Authentication Bypass Latepoint
NVD VulDB
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-32527 MEDIUM This Month

WP Insightly plugin versions 1.1.5 and earlier for Contact Form 7, WPForms, Elementor, Formidable, and Ninja Forms contain an authorization bypass that allows unauthenticated attackers to modify data through misconfigured access controls. An attacker can exploit this vulnerability to perform unauthorized actions on forms and contacts without proper permissions. No patch is currently available.

Authentication Bypass Wp Insightly For Contact Form 7 Wpforms Elementor Formidable And Ninja Forms Elementor
NVD VulDB
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-32514 MEDIUM This Month

Petitioner version 0.7.3 and earlier contains a missing authorization check that allows authenticated users to modify data or settings they should not have access to due to incorrectly configured access control levels. An attacker with valid credentials can exploit this to perform unauthorized actions without requiring user interaction. A patch is not currently available for this vulnerability.

Authentication Bypass Petitioner
NVD VulDB
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-32489 MEDIUM PATCH This Month

Improper access control in bPlugins B Blocks versions prior to 2.0.30 allows unauthenticated remote attackers to modify data and degrade system availability through misconfigured security levels. The vulnerability requires no user interaction and can be exploited over the network, affecting the integrity and availability of affected installations.

Authentication Bypass B Blocks
NVD VulDB
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-32483 MEDIUM This Month

Improper access control in Contact Form Email plugin version 1.3.63 and earlier allows authenticated attackers to modify or inject unauthorized data through inadequately restricted endpoints. An attacker with low-privilege access can exploit misconfigured security levels to manipulate form submissions or sensitive information without proper authorization checks.

Authentication Bypass Contact Form Email
NVD VulDB
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-27046 MEDIUM This Month

Kaira StoreCustomizer woocustomizer versions 2.6.3 and earlier contain a missing authorization flaw that allows authenticated users to modify store customization settings they should not have access to. An attacker with low-level user privileges can exploit this misconfigured access control to make unauthorized changes to the store's appearance and configuration. No patch is currently available for this vulnerability.

Authentication Bypass Storecustomizer
NVD VulDB
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-25469 MEDIUM This Month

The ViaBill payment gateway plugin for WooCommerce versions 1.1.53 and earlier contains an authorization bypass vulnerability that allows unauthenticated attackers to manipulate access controls. An attacker can exploit this misconfiguration to modify transaction data or disrupt payment processing on affected WordPress stores. No patch is currently available for this vulnerability.

Authentication Bypass WordPress
NVD VulDB
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-25462 MEDIUM This Month

Improper access control in Avalex versions up to 3.1.3 allows unauthenticated remote attackers to modify data or cause service disruptions due to incorrectly configured security levels. The vulnerability requires no user interaction and can be exploited over the network, affecting the integrity and availability of the affected system.

Authentication Bypass Avalex
NVD VulDB
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-25455 MEDIUM This Month

Authenticated users can bypass authorization checks in PickPlugins Product Slider for WooCommerce version 1.13.60 and earlier due to improper access control, allowing them to modify product slider configurations they should not have permission to alter. This vulnerability requires valid WordPress credentials but no additional user interaction, affecting all installations of the vulnerable plugin. A patch is not currently available.

WordPress Authentication Bypass
NVD VulDB
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-25454 MEDIUM This Month

This is a missing authorization vulnerability (CWE-862) in MVPThemes The League WordPress theme affecting versions up to 4.4.1, where incorrectly configured access control security levels allow attackers to bypass authentication mechanisms. An attacker can exploit this broken access control to perform unauthorized actions or access restricted functionality without proper credentials. While no CVSS score or EPSS data is currently available, the vulnerability has been documented by Patchstack and assigned ENISA EUVD ID EUVD-2026-15732, indicating active tracking by EU vulnerability databases.

Authentication Bypass The League
NVD VulDB
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-25437 MEDIUM This Month

GZSEO through version 2.0.14 contains an authorization bypass that allows unauthenticated remote attackers to modify data or cause service disruption through improperly configured access controls. The vulnerability enables attackers to exploit weakened security levels without requiring valid credentials or user interaction. No patch is currently available for this vulnerability.

Authentication Bypass Gzseo
NVD VulDB
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-25430 MEDIUM This Month

The CRM Perks Integration plugin for Mailchimp (versions through 1.2.2) contains a missing authorization flaw that allows authenticated attackers to modify data through incorrectly configured access controls. An attacker with user-level permissions could bypass authorization checks to alter form submissions and contact information across integrated platforms including Contact Form 7, WPForms, Elementor, and Ninja Forms. No patch is currently available for this vulnerability.

Authentication Bypass Integration For Mailchimp And Contact Form 7 Wpforms Elementor Ninja Forms Elementor
NVD VulDB
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-25398 MEDIUM This Month

Vertex Addons for Elementor through version 1.6.4 contains an authorization bypass vulnerability that allows authenticated attackers to modify content or settings they should not have access to due to improperly configured access controls. An attacker with low-level user privileges can escalate their capabilities by exploiting the misconfigured security levels. No patch is currently available for this vulnerability.

Authentication Bypass Vertex Addons For Elementor Elementor
NVD VulDB
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-25390 MEDIUM This Month

The New User Approve plugin for WordPress versions 3.2.3 and earlier contains a missing authorization check that allows authenticated users to modify access control settings beyond their intended privileges. An attacker with basic user credentials could escalate their permissions or alter security configurations without proper authorization. No patch is currently available for this vulnerability.

Authentication Bypass New User Approve
NVD VulDB
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-25365 MEDIUM PATCH This Month

Kargo Takip versions prior to 0.2.4 contain a missing authorization vulnerability that allows authenticated users to modify data or perform unauthorized actions due to improper access control enforcement. An attacker with valid credentials could exploit this weakness to manipulate shipment tracking information or other protected resources without proper privilege verification. No patch is currently available for this vulnerability.

Authentication Bypass Kargo Takip
NVD VulDB
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-25327 MEDIUM This Month

Rustaurius Five Star Restaurant Reservations through version 2.7.9 contains an authorization bypass vulnerability that allows unauthenticated attackers to modify reservation data and disrupt service availability by exploiting misconfigured access controls. The vulnerability requires no user interaction and can be triggered remotely, enabling attackers to tamper with restaurant operations without authentication. No patch is currently available for this vulnerability.

Authentication Bypass Five Star Restaurant Reservations
NVD VulDB
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-25034 MEDIUM This Month

Iqonic Design KiviCare clinic management system versions 3.6.16 and earlier contain an authorization bypass vulnerability that allows unauthenticated remote attackers to modify data and disrupt service availability through improperly configured access controls. The vulnerability has no available patch and affects the system's ability to properly enforce permission levels across its features.

Authentication Bypass Kivicare
NVD VulDB
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-25009 MEDIUM This Month

The Education Zone WordPress theme through version 1.3.8 contains an access control misconfiguration that allows unauthenticated remote attackers to modify content and cause service disruptions. This missing authorization vulnerability enables attackers to bypass security controls and perform unauthorized actions on affected sites. No patch is currently available for this vulnerability.

Authentication Bypass Education Zone
NVD VulDB
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-24987 MEDIUM This Month

Authenticated users can bypass authorization controls in WP System Log plugin versions up to 1.2.7 to modify system logs due to improper access control validation. An attacker with valid credentials could alter log data to cover tracks or manipulate audit records without additional privileges. No patch is currently available for this vulnerability.

Authentication Bypass Wp System Log
NVD VulDB
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-24972 MEDIUM This Month

Elated Listing through version 1.4 contains an authorization bypass that allows authenticated users to modify data they should not have access to due to improperly configured access controls. An attacker with valid credentials can exploit this missing authorization check to perform unauthorized modifications, though they cannot access sensitive information or disrupt system availability. No patch is currently available for this medium-severity vulnerability.

Authentication Bypass Elated Listing
NVD VulDB
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-24376 MEDIUM This Month

WPVulnerability plugin through version 4.2.1 contains an authorization bypass that allows authenticated users to modify data they should not have access to due to improperly enforced access controls. An attacker with valid login credentials can escalate privileges to perform unauthorized modifications within the plugin's protected functions. No patch is currently available for this vulnerability.

Authentication Bypass Wpvulnerability
NVD VulDB
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-24364 MEDIUM This Month

Improper access control in WP User Frontend through version 4.2.5 allows authenticated users to modify content they should not have permission to access. An attacker with valid WordPress credentials could exploit misconfigured security levels to gain unauthorized write access to restricted resources without requiring additional user interaction.

Authentication Bypass Wp User Frontend
NVD VulDB
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-23972 MEDIUM This Month

The Booking and Rental Manager plugin for WordPress through version 2.6.0 contains an authorization bypass that allows authenticated attackers to modify data they should not have access to. An attacker with low-privilege user credentials can exploit inadequately enforced access controls to perform unauthorized actions. No patch is currently available for this vulnerability.

WordPress Authentication Bypass
NVD VulDB
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-22485 MEDIUM This Month

Improper access control in My Album Gallery versions up to 1.0.4 enables authenticated users to modify gallery data they should not have permission to access. An attacker with valid credentials can exploit this misconfiguration to alter or manipulate album content without proper authorization checks.

Authentication Bypass My Album Gallery
NVD VulDB
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-28835 MEDIUM PATCH This Month

macOS systems running Sequoia 15.7.4 or earlier, Sonoma 14.8.4 or earlier, and Tahoe 26.3 or earlier contain a use-after-free vulnerability in SMB share handling that could allow an attacker to crash the operating system by mounting a specially crafted network share. The vulnerability requires user interaction to mount the malicious share and results in denial of service rather than code execution or data compromise. No patch is currently available for this vulnerability.

Apple Use After Free Memory Corruption Information Disclosure macOS
NVD VulDB
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-20110 MEDIUM This Month

Insufficient privilege validation on the start maintenance command in Cisco IOS XE Software enables authenticated local attackers to trigger a denial of service by placing devices into maintenance mode, which disables network interfaces. Low-privileged users can exploit this via CLI access without administrative credentials. Device recovery requires administrator intervention using the stop maintenance command.

Cisco Denial Of Service Apple
NVD VulDB
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-28863 MEDIUM PATCH This Month

A permissions issue across Apple's ecosystem allows applications to fingerprint users by accessing information that should be restricted. The vulnerability affects iOS and iPadOS versions prior to 26.4, tvOS prior to 26.4, visionOS prior to 26.4, and watchOS prior to 26.4. Attackers can exploit this by deploying a malicious app that leverages inadequate permission restrictions to collect device and user identifiers for tracking and profiling purposes. The issue has been addressed by Apple through additional permission restrictions in the patched versions, indicating this is a known vulnerability with an available fix.

Apple Authentication Bypass
NVD VulDB
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-3119 MEDIUM PATCH This Month

BIND 9 DNS server crashes when processing specially crafted TSIG-authenticated queries containing TKEY records, affecting versions 9.20.0-9.20.20, 9.21.0-9.21.19, and 9.20.9-S1-9.20.20-S1 on Ubuntu, SUSE, and Debian systems. An authenticated attacker with a valid TSIG key can trigger a denial of service by sending a malformed query, disrupting DNS resolution services. A patch is available for affected installations.

Denial Of Service Bind 9
NVD VulDB
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-4766 MEDIUM This Month

The Easy Image Gallery plugin for WordPress contains a Stored Cross-Site Scripting (XSS) vulnerability in the Gallery shortcode post meta field that affects all versions up to and including 1.5.3. Authenticated attackers with Contributor-level access or higher can inject arbitrary JavaScript that executes in the browsers of users viewing the affected pages, potentially compromising user sessions, stealing credentials, or performing actions on behalf of legitimate users. The vulnerability stems from insufficient input sanitization and output escaping in the shortcode handler, as documented in the WordPress plugin repository source code.

WordPress XSS
NVD VulDB
CVSS 3.1
6.4
EPSS
0.0%
CVE-2026-24964 MEDIUM This Month

A Server-Side Request Forgery (SSRF) vulnerability exists in Contest Gallery, a WordPress plugin developed by Wasiliy Strecker, affecting versions up to and including 28.1.2.1. This vulnerability allows attackers to abuse the affected application to make unauthorized requests to internal or external systems, potentially leading to information disclosure, internal network reconnaissance, or attacks against backend services. The vulnerability was reported by Patchstack and tracked under EUVD-2026-15576; however, no CVSS score, EPSS data, or confirmed active exploitation status is currently available, limiting the ability to assess immediate severity.

SSRF Contest Gallery
NVD VulDB
CVSS 3.1
6.4
EPSS
0.0%
CVE-2026-24362 MEDIUM This Month

A missing authorization vulnerability exists in bdthemes Ultimate Post Kit WordPress plugin through version 4.0.21, where incorrectly configured access control allows attackers to bypass authentication mechanisms and exploit broken access control security levels. An attacker can leverage this vulnerability to perform unauthorized actions that should be restricted to authenticated or privileged users. While no CVSS score, EPSS data, or confirmed KEV status is currently available, the vulnerability is classified under CWE-862 (Missing Authorization) and has been documented by Patchstack, indicating active research and potential exploitation concern.

Authentication Bypass Ultimate Post Kit
NVD VulDB
CVSS 3.1
6.4
EPSS
0.0%
CVE-2026-33751 MEDIUM PATCH This Month

n8n contains an LDAP injection vulnerability in the LDAP node's filter escape logic that allows LDAP metacharacters to pass through unescaped when user-controlled input is interpolated into LDAP search filters. This affects n8n versions prior to 1.123.27, 2.13.3, and 2.14.1, enabling attackers to manipulate LDAP queries to retrieve unintended directory records or bypass authentication controls implemented within workflows. The vulnerability requires specific workflow configuration (LDAP node receiving external user input via expressions) and has not been publicly reported as actively exploited, though no proof-of-concept availability is explicitly confirmed across available intelligence sources.

LDAP Authentication Bypass Code Injection
NVD GitHub VulDB
CVSS 4.0
6.3
EPSS
0.1%
CVE-2026-33749 MEDIUM PATCH This Month

A stored cross-site scripting (XSS) vulnerability in n8n workflow automation platform allows authenticated users to craft malicious workflows that execute arbitrary JavaScript in the browsers of higher-privileged users. Affected versions are n8n prior to 1.123.27, 2.13.3, and 2.14.1 (identified via CPE cpe:2.3:a:n8n-io:n8n). An attacker with workflow creation/modification permissions can exploit the `/rest/binary-data` endpoint's failure to properly sanitize HTML responses, enabling credential theft, workflow manipulation, and privilege escalation to administrative access with full same-origin context.

XSS Privilege Escalation N8n
NVD GitHub VulDB
CVSS 4.0
6.3
EPSS
0.0%
CVE-2025-14810 MEDIUM PATCH This Month

IBM InfoSphere Information Server versions 11.7.0.0 through 11.7.1.6 fail to invalidate user sessions when administrative privileges are revoked, allowing authenticated users to retain access to sensitive information they should no longer be able to access. The vulnerability affects the session management layer and requires an authenticated attacker with initial system access. A patch is available from IBM, and this represents a privilege escalation and information disclosure risk in enterprise data integration environments.

IBM Information Disclosure
NVD VulDB
CVSS 3.1
6.3
EPSS
0.0%
CVE-2026-25460 MEDIUM This Month

This is a Missing Authorization (Broken Access Control) vulnerability in LiquidThemes Ave Core plugin affecting versions up to 2.9.1, where incorrectly configured access control security levels allow attackers to bypass authentication mechanisms and access protected functionality. The vulnerability, classified under CWE-862, impacts WordPress installations using the affected Ave Core plugin versions. While no CVSS score, EPSS data, or confirmed KEV status is currently available, the Patchstack intelligence indicates this represents an authentication bypass weakness that could enable unauthorized access to administrative or sensitive features without proper privilege escalation.

Authentication Bypass Ave Core
NVD VulDB
CVSS 3.1
6.3
EPSS
0.0%
CVE-2026-28867 MEDIUM PATCH This Month

A kernel state information disclosure vulnerability exists across Apple's entire platform ecosystem that allows a malicious application to leak sensitive kernel memory without requiring elevated privileges. The vulnerability affects iOS and iPadOS versions prior to 18.7.7 and 26.4, macOS Sequoia prior to 15.7.5, macOS Tahoe 26.4, and tvOS, visionOS, and watchOS 26.4. An attacker can craft a specially designed app that exploits improper authentication mechanisms to access protected kernel state, potentially exposing cryptographic keys, memory addresses, or other sensitive operating system internals that could be chained with other vulnerabilities.

Apple Information Disclosure macOS iOS
NVD VulDB
CVSS 3.1
6.2
EPSS
0.0%
CVE-2026-28822 MEDIUM PATCH This Month

Type confusion in Apple's iOS, iPadOS, macOS, tvOS, visionOS, and watchOS allows local attackers to trigger unexpected application termination through memory corruption. The vulnerability affects multiple OS versions and currently lacks a publicly available patch. An attacker with local access can exploit this to cause denial of service by crashing targeted applications.

Apple Memory Corruption Information Disclosure macOS iOS
NVD VulDB
CVSS 3.1
6.2
EPSS
0.0%
CVE-2026-20637 MEDIUM PATCH This Month

Denial of service in Apple iOS, iPadOS, and macOS due to a use-after-free memory corruption vulnerability allows local attackers to trigger unexpected system termination. The flaw affects multiple Apple platforms including iOS 18.x, macOS Sequoia, Sonoma, and Tahoe versions. No patch is currently available.

Apple Use After Free Denial Of Service Memory Corruption macOS +1
NVD VulDB
CVSS 3.1
6.2
EPSS
0.0%
CVE-2026-20699 MEDIUM PATCH This Month

A downgrade vulnerability affecting Intel-based Mac computers allows malicious applications to bypass code-signing restrictions and access user-sensitive data. The vulnerability impacts macOS Sequoia (versions before 15.7.5), macOS Sonoma (versions before 14.8.5), macOS Tahoe (versions before 26.3 and 26.4), and affects all Intel-based Mac systems running vulnerable versions. An attacker can craft an application that exploits insufficient code-signing validation to downgrade security protections and exfiltrate sensitive user information.

Apple Information Disclosure Intel Jwt Attack macOS
NVD VulDB
CVSS 3.1
6.2
EPSS
0.0%
CVE-2026-28841 MEDIUM PATCH This Month

macOS Tahoe versions prior to 26.4 contain a buffer overflow vulnerability that can cause denial of service through unexpected application termination or memory corruption when exploited by local attackers. The vulnerability stems from insufficient size validation in memory operations and requires no user interaction to trigger. No patch is currently available for affected systems.

Apple Buffer Overflow macOS
NVD VulDB
CVSS 3.1
6.2
EPSS
0.0%
CVE-2026-28866 MEDIUM PATCH This Month

A symlink validation vulnerability in Apple's iOS, iPadOS, and macOS operating systems allows malicious applications to bypass file system protections and access sensitive user data through improper handling of symbolic links. The vulnerability affects iOS 18.7.7 and earlier, iPadOS 18.7.7 and earlier, iOS 26.4 and earlier, iPadOS 26.4 and earlier, macOS Sequoia 15.7.5 and earlier, macOS Sonoma 14.8.5 and earlier, and macOS Tahoe 26.4 and earlier. An attacker with the ability to install or execute an application on the affected system could leverage this weakness to read restricted files and access private user information without proper authorization.

Apple Information Disclosure macOS iOS
NVD VulDB
CVSS 3.1
6.2
EPSS
0.0%
CVE-2026-20695 MEDIUM PATCH This Month

An information disclosure vulnerability in macOS allows applications to determine kernel memory layout through improper memory management, enabling potential attacks that rely on kernel address space layout randomization (KASLR) bypass. This issue affects macOS Sequoia (before 15.7.5), macOS Sonoma (before 14.8.5), and macOS Tahoe (before 26.4). An unprivileged application can exploit this to leak kernel memory addresses, which is a critical prerequisite for more sophisticated kernel exploitation attacks. No CVSS score, EPSS probability, or evidence of active exploitation in CISA KEV catalog has been published, though the vulnerability was patched by Apple across three major OS versions, suggesting it was discovered through responsible disclosure rather than in-the-wild exploitation.

Apple Information Disclosure macOS
NVD VulDB
CVSS 3.1
6.2
EPSS
0.0%
CVE-2026-20651 MEDIUM PATCH This Month

A privacy vulnerability in macOS allows applications to access sensitive user data through improper handling of temporary files. The issue affects macOS Sequoia (versions prior to 15.7.5), macOS Sonoma (versions prior to 14.8.4), and macOS Tahoe (versions prior to 26.3). An unprivileged application could exploit weak temporary file protections to read or manipulate sensitive data, though no active exploitation in the wild or public proof-of-concept has been confirmed at this time.

Apple Information Disclosure macOS
NVD VulDB
CVSS 3.1
6.2
EPSS
0.0%
CVE-2026-28889 MEDIUM PATCH This Month

A permissions bypass vulnerability in Apple Xcode allows unprivileged applications to read arbitrary files with root-level privileges due to insufficient access controls. The vulnerability affects Xcode versions prior to 26.4 and could enable attackers to exfiltrate sensitive system files or configuration data. While no CVSS score or EPSS data is currently published, the ability to read arbitrary files as root represents a critical privilege escalation issue that warrants immediate patching.

Privilege Escalation Xcode
NVD VulDB
CVSS 3.1
6.2
EPSS
0.0%
CVE-2026-28833 MEDIUM PATCH This Month

A permissions enforcement vulnerability in Apple's operating systems allows third-party applications to enumerate installed applications on a user's device without proper authorization. This information disclosure issue affects iOS, iPadOS, macOS, and visionOS versions prior to 26.4, enabling attackers to gain insight into a user's software ecosystem for profiling or targeting purposes. Apple has addressed this with additional access restrictions in the patched versions, though no CVSS score, EPSS data, or known active exploitation has been publicly disclosed.

Apple Authentication Bypass
NVD VulDB
CVSS 3.1
6.2
EPSS
0.0%
CVE-2025-12708 MEDIUM PATCH This Month

IBM Concert versions 1.0.0 through 2.2.0 contain hard-coded credentials accessible to local users, enabling unauthorized authentication bypass and potential privilege escalation. An attacker with local access can extract these credentials to gain unauthorized system access without requiring network connectivity or user interaction. This vulnerability is classified as moderate severity (CVSS 6.2) with high confidentiality impact but no direct integrity or availability impact.

IBM Authentication Bypass
NVD VulDB
CVSS 3.1
6.2
EPSS
0.0%
CVE-2025-64646 MEDIUM PATCH This Month

IBM Concert versions 1.0.0 through 2.2.0 suffer from improper buffer resource clearing that allows local attackers to read sensitive information directly from process memory without requiring privileges or user interaction. This information disclosure vulnerability (CVSS 6.2) affects IBM Concert across multiple versions and has a vendor patch available, though no evidence of active exploitation or public proof-of-concept has been reported in the provided intelligence.

IBM Information Disclosure
NVD VulDB
CVSS 3.1
6.2
EPSS
0.0%
Prev Page 2 of 6 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy