Improper authorization in the Wallet System for WooCommerce WordPress plugin (versions 2.7.6 and earlier) lets low-privileged authenticated users — subscriber-level accounts — perform wallet actions reserved for higher roles, enabling manipulation of stored wallet balances and transactions. The flaw, reported by Patchstack and tracked as CWE-862 (Missing Authorization), carries a 7.1 (High) CVSS score driven by high integrity impact. There is no public exploit identified at time of analysis and it is not listed in CISA KEV.
Reflected/stored cross-site scripting in the WordPress plugin BEAR (realmag777's WooCommerce Bulk Editor and Products Manager, woo-bulk-editor) version 1.1.8 and earlier allows an unauthenticated remote attacker to inject malicious script that executes in a victim's browser when the victim is lured to interact with a crafted request. The CVSS:3.1 vector (AV:N/PR:N/UI:R/S:C) indicates network-reachable, no-authentication exploitation that requires user interaction and crosses a security scope boundary. No public exploit identified at time of analysis and the issue is not listed in CISA KEV; it was reported by Patchstack.
Authenticated path traversal in the Epiphyt Embed Privacy WordPress plugin (versions up to and including 1.12.3) lets a low-privileged user supply a crafted pathname that escapes the plugin's intended directory, enabling arbitrary file deletion on the host as reflected by the Patchstack advisory title. The CVSS 7.1 vector (C:N/I:L/A:H) shows the primary danger is availability — deleting files such as wp-config.php or core assets can break or take down the site. There is no public exploit identified at time of analysis and it is not listed in CISA KEV.
Heap-based buffer overflow in PcapPlusPlus 25.05 allows remote, unauthenticated attackers to corrupt heap memory by sending a crafted Modbus TCP packet containing a malformed `length` field to applications using the library's `pcpp::ModbusLayer::getLength()` parser. The CVSS 4.0 score of 2.9 reflects the high attack complexity (AC:H) required to exploit the flaw reliably, with impact capped at low across confidentiality, integrity, and availability. Publicly available exploit code exists (poc.zip), though no active exploitation has been confirmed by CISA KEV at time of analysis.
Google OAuth login in Documenso through version 2.11.0 fails to enforce two-factor authentication during the OAuth callback flow, allowing a remote attacker to authenticate as any Google-linked user without completing MFA verification. The flaw resides in handle-oauth-callback-url.ts, where the oauth2fa state is not properly routed through the dedicated OAuth 2FA verification path - as confirmed by the PR diff showing the signin form was not checking the oauth2fa=true callback parameter. Publicly available exploit code exists (GitHub issue #2758), though no active exploitation has been confirmed and the CVSS 4.0 AC:H rating indicates the attack requires precise manipulation of the OAuth callback flow.
Cherry Studio's MCP OAuth Local Callback Server, in all versions up to 1.9.6, accepts OAuth authorization code callbacks without validating the OAuth `state` parameter, enabling authorization code injection attacks. The PR diff confirms that `src/main/services/mcp/oauth/callback.ts` processed any inbound `code` value without checking a bound state token, allowing a network-positioned attacker to substitute a malicious authorization code during an active OAuth flow. A public exploit has been disclosed via GitHub issue #15372; no confirmed patched release exists - only an unmerged fix PR (#15388) - and no active exploitation has been confirmed (not in CISA KEV).
SQL injection in YzmCMS up to version 7.5 allows network-based attackers to manipulate database queries by supplying crafted input to the siteurl argument within the installation endpoint /application/install/index.php. No authentication is required per the CVSS 4.0 vector (PR:N), though the attack is rated high complexity (AC:H), meaning exploitation is non-trivial despite a publicly available proof-of-concept on GitHub. The vendor did not respond to coordinated disclosure, leaving no official patch available; CVSS 4.0 scores this 6.3 with partial impact across confidentiality, integrity, and availability - no confirmed active exploitation (not in CISA KEV).
Hidden field data disclosure in Teable before 2026-06-15T04-43-24Z.1912 allows unauthenticated remote attackers to bypass share view field visibility restrictions by supplying arbitrary field IDs in the API projection parameter. The share view records endpoint fails to enforce server-side field visibility policy, permitting any caller with access to a public share URL to read field values the table owner explicitly marked as hidden. No public exploit code has been identified at time of analysis, but the attack is trivially repeatable - field IDs are enumerable from unauthenticated share metadata, requiring no special tools or privileges beyond network access.
Out-of-bounds read in Eclipse tinydtls prior to commit b3efd41ad111a4920f599f51ffa4f5e9f1e72221 allows unauthenticated network attackers to crash memory-constrained IoT devices by sending a specially crafted Certificate handshake message during DTLS epoch 0. The vulnerable check_server_certificate() function omits buffer length validation before uint24 reads, memcmp, and memcpy operations, enabling reads beyond valid buffer boundaries on both client and server code paths. No public exploit code or active exploitation has been identified at time of analysis; however, the unauthenticated, network-reachable nature makes this straightforward to trigger against any exposed tinydtls endpoint.
Stack exhaustion in the mdex and mdex_native Elixir Markdown libraries causes entire-node denial of service when processing attacker-controlled deeply nested Markdown. Two mutually recursive Rust NIF functions, ex_document_to_comrak_ast and comrak_ast_to_ex_document in document.rs, traverse the Comrak AST without enforcing a maximum nesting depth; a document with thousands of nested block quotes drives unbounded recursion that overflows the native C stack. Because the resulting SIGSEGV is raised inside a NIF, the Erlang runtime cannot catch it - the OS process hosting the BEAM terminates, killing every Elixir and Erlang process on the node. No public exploit has been identified at time of analysis, but the attack requires only crafted Markdown input with no authentication.
Out-of-bounds read in GNU gzip's LZH decompression logic allows an unprivileged local attacker to disclose memory contents by supplying two specially crafted archives - an LZW file followed by an LZH file - in a single gzip -d invocation. The shared global decompression array, never reinitialized between files in the same process invocation, is poisoned by the LZW pass and subsequently causes the LZH decoder to read past the end of the allocated buffer, yielding high confidentiality impact per the CVSS 4.0 vector (VC:H). No public exploit or CISA KEV listing has been identified at time of analysis; the fix exists as an upstream source commit only, with no confirmed packaged release.
Native Rust heap exhaustion in leandrocp mdex and mdex_native allows any attacker who can supply document content to MDEx.to_html/1 to crash the BEAM Erlang/Elixir node through unbounded memory accumulation. The Rust NIF permanently leaks memory by calling Box::leak on every escaped-tag literal string during document rendering, with no size cap or rate limit - leakage compounds across repeated renders proportional to literal_size multiplied by node_count, and the BEAM VM can never reclaim native allocations once surrendered this way. No public exploit code has been identified and the vulnerability is not listed in CISA KEV; vendor-released patches are available in mdex 0.12.3 and mdex_native 0.2.3.
Server-side request forgery in Snowflake CLI versions 3.6.0 through 3.18.x lets an attacker coerce a victim's CLI session into fetching attacker-chosen remote URLs and then retrieving and executing remote SQL in that session's context. The flaw lives in the SQL statement reader's !source/!load directives, which resolve remote references at runtime without restricting the request destination, so a victim who processes attacker-supplied SQL can be made to reach internal/non-public network locations. Despite a 9.6 CVSS, real-world urgency is tempered by required user interaction and a low EPSS (0.09%); there is no public exploit identified at time of analysis and it is not in CISA KEV.
Unbounded memory allocation in the MDEx Elixir Markdown rendering library allows a remote unauthenticated attacker to exhaust host memory and crash the BEAM virtual machine by submitting a single crafted fenced code block with an oversized highlight_lines range. Any application that renders user-supplied Markdown through MDEx.to_html/2 - such as a comment box, chat message, or wiki page - is exposed; a payload differing by only a few bytes can force hundreds of megabytes to gigabytes of allocation. No public exploit has been identified at time of analysis, though the attack payload is trivially constructable directly from the public advisory, and patched versions 0.12.3 (mdex) and 0.2.3 (mdex_native) are available.
IP spoofing in LibreTranslate through 1.9.7 allows unauthenticated remote attackers to bypass per-IP rate limiting and flood bans by injecting arbitrary values into the X-Forwarded-For HTTP header. The get_remote_address() function accepts client-supplied header values without validating that the request originated from a trusted proxy, enabling any attacker to present a rotating set of forged IP addresses and evade API abuse controls entirely. No public exploit code has been identified at time of analysis, but the technique requires no authentication and trivially low technical skill given the well-known nature of X-Forwarded-For abuse.
Heap-based buffer overflow in PcapPlusPlus 25.05's Telnet subnegotiation packet parser allows remote attackers to corrupt heap memory by sending a specially crafted Telnet subnegotiation packet to any application embedding this library. The flaw in `pcpp::TelnetLayer::getSubCommand` (Packet++/src/TelnetLayer.cpp) results in low-level confidentiality, integrity, and availability impact against the parsing process. A proof-of-concept exploit (poc.zip) is publicly available on GitHub, but no active exploitation has been confirmed via CISA KEV, and the high attack complexity (AC:H in the provided CVSS 4.0 vector) keeps the overall score at a low 2.9.
Heap-based buffer overflow in PcapPlusPlus 25.05's TLS Hello Handler allows remote unauthenticated attackers to trigger memory corruption via a crafted handshakeVersion argument in the SSLClientHelloMessage::getHandshakeVersion function of SSLHandshake.cpp. Successful exploitation requires high attack complexity, limiting practical impact, but a public proof-of-concept (poc.zip) has been disclosed via GitHub. This vulnerability is not confirmed in CISA KEV, and its CVSS 4.0 score of 2.9 reflects the constrained, low-impact nature of the flaw despite the public exploit availability.
Heap-based buffer overflow in PcapPlusPlus 25.05 allows remote attackers to crash applications that parse attacker-controlled pcapng files via a crafted `captured_packet_length` value in the `parse_by_block_type` function of the LightPcapNg Parser. A publicly available proof-of-concept exploit (poc.zip) exists, though confirmed impact is limited to availability - application crash/denial-of-service - with no confidentiality or integrity impact indicated by the CVSS 4.0 vector. No active exploitation is confirmed, and no patch has been identified at time of analysis.
Log injection in Eclipse CSI PIA's unauthenticated /v1/upload/sbom endpoint allows a remote attacker to plant forged authentication-success log entries that are byte-for-byte indistinguishable from genuine PIA audit events. PIA is an authentication broker whose logs are explicitly designated as the authoritative source for incident response (DESIGN.md §5.4), meaning the forgery directly subverts the audit trail the service exists to produce. No public exploit has been identified at time of analysis, but the attack requires no authentication and minimal technical sophistication.
Stack-based buffer overflow in the TP-Link TL-WR841N v14 web management interface allows an authenticated attacker on the same local network segment to crash the embedded web server via crafted HTTP requests, forcing the device to automatically reboot. The impact is limited exclusively to availability - no confidentiality or integrity exposure has been identified. No public exploit code or CISA KEV listing exists at time of analysis; the constrained attack prerequisites (adjacent network, administrative credentials) significantly bound real-world risk.
Credential exposure in Hitachi Storage Navigator allows authenticated storage administrators to extract insufficiently protected credentials through the network-accessible management interface, potentially enabling lateral movement to systems outside the storage platform's authorization boundary. Affected platforms span the Hitachi VSP 5000-series and G/F/VX-series enterprise storage arrays running pre-patch firmware versions on both the DKCMAIN and SVP components. No public exploit code and no CISA KEV listing have been identified at time of analysis, though the CVSS Scope:Changed metric indicates that exposed credentials could be leveraged against systems well beyond Storage Navigator itself.
Memory corruption (CWE-119) in Apple Safari's web content processing engine causes an unexpected application crash when rendering maliciously crafted web content. Affected across Safari, iOS 26, iPadOS 26, and macOS Tahoe - all versions prior to 26.5.2. An unauthenticated remote attacker can trigger a denial-of-service against any user who visits a hostile page, though no code execution is indicated by current data. No public exploit code and no CISA KEV listing are identified at time of analysis; exploitation probability (EPSS) was not provided in source data.
Safari's web content processing engine on iOS, iPadOS, and macOS Tahoe contains an out-of-bounds write (CWE-787) that causes an unexpected crash when rendering maliciously crafted web content. All Safari versions prior to 26.5.2 - and the underlying WebKit engine shipping with iOS/iPadOS and macOS Tahoe prior to 26.5.2 - are affected. Apple has released patched versions across all three platforms; no public exploit code or CISA KEV listing has been identified at time of analysis, and available impact is limited to a denial-of-service crash with no confirmed code execution path.
Use-after-free memory corruption in Safari's web content rendering engine causes a denial-of-service crash on Apple platforms running Safari, iOS/iPadOS, and macOS Tahoe prior to version 26.5.2. An attacker who can lure a victim to visit a maliciously crafted webpage can reliably crash the Safari browser, with no code execution or data exfiltration indicated by the available CVSS impact scores (C:N/I:N). No public exploit code and no CISA KEV listing have been identified at time of analysis, placing this in the category of a significant but non-critical browser crash vulnerability.
Stack-based buffer overflow in Apple Safari's web content processing engine causes an unexpected application crash across Safari, iOS/iPadOS, and macOS Tahoe platforms. All versions prior to 26.5.2 are affected; an attacker can trigger the overflow by luring a victim to a maliciously crafted web page, resulting in a denial-of-service through a Safari crash. No active exploitation is confirmed (not listed in CISA KEV) and no public exploit code has been identified at time of analysis, keeping real-world risk moderate despite the broad install base.
Unauthenticated IDOR in Colissimo Officiel : Méthodes de livraison pour WooCommerce (versions ≤ 2.9.0) exposes shipping-related backend objects to manipulation by remote, unauthenticated attackers. Missing server-side authorization on object lookups allows adversaries to reference records belonging to other users, producing low integrity and availability impacts on WooCommerce shipping data with no confidentiality breach. No public exploit code or active exploitation has been identified at time of analysis, and no patched version number was independently confirmed in the available intelligence.
Out-of-bounds read in Safari's web content processing engine causes an unexpected application crash when rendering maliciously crafted web content. Affected are Safari prior to 26.5.2, iOS and iPadOS prior to 26.5.2, and macOS Tahoe prior to 26.5.2. An unauthenticated remote attacker (per PR:N/AV:N in the CVSS vector) can trigger a denial-of-service condition by enticing a user to visit a crafted page; no public exploit or CISA KEV listing has been identified at time of analysis.
Use-after-free memory corruption in Apple's WebKit rendering engine causes unexpected process crashes when processing maliciously crafted web content across Safari, iOS/iPadOS, and macOS Tahoe. All three platform variants prior to the 26.5.2 release train are affected, covering a substantial portion of Apple's consumer and enterprise device fleet. An unauthenticated remote attacker can trigger a denial-of-service condition by enticing a victim to visit a specially crafted webpage; no public exploit code or active exploitation (CISA KEV) has been identified at time of analysis.
Devolutions PowerShell Universal 2026.2.0 leaks serialized App Tokens in plaintext within AI Agent job API responses, enabling authenticated privilege escalation through token theft and replay. An authenticated user holding only AI Agent read access - a lower-privileged role - can extract reusable App Tokens that may carry significantly higher privileges than their own account, effectively bypassing the intended access control boundary. No public exploit code exists and CISA has not listed this in KEV, but the CVSS C:H rating reflects that successful exploitation yields credentials reusable across the platform.
Path traversal (CWE-22) in Apple's WebKit-based browser engine exposes sensitive user information when processing maliciously crafted web content in Safari, iOS, iPadOS, and macOS Tahoe prior to version 26.5.2. The CVSS vector (AV:N/AC:L/PR:N/UI:R) confirms that an unauthenticated remote attacker needs only to induce a user to visit a malicious page, with no authentication or elevated privileges required. Apple has released fixes across all three platforms; no public exploit or CISA KEV listing has been identified at time of analysis.
Out-of-bounds read in Apple's WebKit rendering engine crashes the browser process when parsing maliciously crafted web content, affecting Safari, iOS, iPadOS, and macOS Tahoe prior to version 26.5.2. The vulnerability requires only that a user visit or be redirected to an attacker-controlled page, making it trivially deliverable via phishing or malicious advertising. Impact is limited to a denial-of-service process crash per vendor disclosure; no public exploit or CISA KEV listing has been identified at time of analysis.
Use-after-free memory corruption in Apple's WebKit engine causes unexpected process crashes when processing maliciously crafted web content. Affected platforms include Safari, iOS 26, iPadOS 26, and macOS Tahoe - all versions prior to 26.5.2. An unauthenticated remote attacker can trigger a denial-of-service condition by luring a user to a malicious web page; no public exploit has been identified at time of analysis, and this vulnerability is not listed in the CISA KEV catalog.
Use-after-free memory corruption in WebKit's web content processing causes unexpected process crashes across Safari, iOS, and iPadOS on all versions prior to 26.5.2. An unauthenticated remote attacker who can lure a user to visit a maliciously crafted web page can trigger this condition, resulting in a denial-of-service via browser process termination. No public exploit code has been identified at time of analysis and the vulnerability is absent from CISA KEV, though the use-after-free class in WebKit has historically been chained with other primitives to escalate impact.
Use-after-free memory corruption in Safari's web content processing engine causes an unexpected process crash when rendering maliciously crafted web pages. Affected products include Safari, iOS and iPadOS, and macOS Tahoe, all prior to version 26.5.2. No public exploit code has been identified at time of analysis and this vulnerability is not listed in CISA KEV, though the low attack complexity and no-privileges-required vector make user-targeted delivery straightforward.
CSS::Minifier::XS versions before 0.14 for Perl have a memory leak when the entire document is minified away. The minify function has a memory leak when processing a document containing only characters to be removed, such as comments and whitespace.
Broken access control in the Ads by WPQuads WordPress plugin (versions <= 3.0.3) allows authenticated subscribers to perform privileged administrative actions they are explicitly unauthorized to execute. The flaw, classified under CWE-862 (Missing Authorization), results in high integrity impact with no confidentiality or availability effect, per the CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N vector. No active exploitation has been identified in CISA KEV at time of analysis, though the low attack complexity and widely deployed WordPress ecosystem make this a realistic risk for any site with open subscriber registration.
Out-of-bounds read in Apple's web content processing engine crashes the rendering process across iOS, iPadOS, and macOS Tahoe when a user visits or opens maliciously crafted web content. All iOS and iPadOS versions prior to 26.5.2 and macOS Tahoe versions prior to 26.5.2 are affected per EUVD-2026-40185 and Apple's own advisories. No active exploitation is confirmed in CISA KEV and no public exploit code has been identified; however, the zero-privilege, low-complexity attack path makes denial-of-service accessible to any attacker who can deliver a malicious web page to a victim.
Stored Cross-Site Scripting in WooCommerce Designer Pro (WordPress plugin) versions 1.9.34 and earlier allows authenticated subscribers to inject malicious scripts that execute in the browsers of other users, including administrators. The scope change (S:C in CVSS) indicates injected payloads can cross privilege boundaries, enabling session hijacking, credential theft, or unauthorized administrative actions. No public exploit code and no CISA KEV listing have been identified at time of analysis, though the subscriber-level entry point lowers the bar for exploitation on any site permitting account registration.
Safari, iOS/iPadOS, and macOS Tahoe expose process memory when the browser engine processes maliciously crafted web content, rooted in a CWE-119 improper memory buffer restriction (tagged Buffer Overflow). The CVSS vector (AV:N/AC:L/PR:N/UI:R/C:H) indicates a network-reachable, low-complexity attack requiring only that the victim visit or render attacker-controlled content, resulting in high confidentiality impact through memory leakage. No active exploitation has been confirmed in CISA KEV and no public proof-of-concept has been identified at the time of analysis; Apple has released patched versions (26.5.2) across all affected platforms.
Out-of-bounds read in Apple's web content processing engine (WebKit) causes a browser process crash when a user visits a maliciously crafted webpage, affecting Safari, iOS/iPadOS, and macOS Tahoe. All versions prior to the 26.5.2 releases across those platforms are affected, making this a broad-surface denial-of-service vulnerability against Apple's default browser ecosystem. No public exploit code has been identified at time of analysis, and the vulnerability is not listed in CISA KEV; however, the low attack complexity and zero-authentication requirement lower the bar for opportunistic abuse once a malicious page is visited.
Use-after-free memory corruption in Safari's web content processing causes an unexpected application crash across Apple platforms. Affected are Safari, iOS, iPadOS, and macOS Tahoe prior to version 26.5.2; exploitation requires only that a user visits or loads maliciously crafted web content, making drive-by delivery via a malicious webpage the primary vector. Impact is confined to availability - a forced Safari crash (denial of service) - with no confirmed confidentiality or integrity consequences. No public exploit code or active exploitation has been identified at time of analysis.
Use-after-free in Safari's web content processing engine causes denial of service across Apple platforms, affecting Safari, iOS/iPadOS, and macOS prior to the 26.5.2 release line. The CVSS vector (AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H) confirms remote, unauthenticated triggering requiring only that a user visit attacker-controlled web content, with impact limited to availability - specifically an unexpected Safari crash. No active exploitation has been confirmed (not listed in CISA KEV), and no public exploit code has been identified at time of analysis.
Processing maliciously crafted web content in Apple Safari, iOS/iPadOS, and macOS Tahoe (all versions prior to 26.5.2) triggers an improper memory handling flaw (CWE-119 buffer overflow) in the web content processing pipeline, resulting in an unexpected process crash. The attack vector is network-based requiring user interaction (UI:R per CVSS), and impact is confined to availability - no confidentiality or integrity compromise is described. No public exploit code has been identified at time of analysis, and this vulnerability does not appear in the CISA KEV catalog.
Memory corruption in Apple's WebKit-based web content processing allows an unauthenticated remote attacker to crash the affected process by luring a user to visit a maliciously crafted webpage. Affected platforms include Safari, iOS, iPadOS, and macOS Tahoe, all prior to version 26.5.2. No public exploit code has been identified at time of analysis, and this CVE does not appear in the CISA KEV catalog; impact is limited to availability (process crash) with no confirmed confidentiality or integrity exposure.
Use-after-free memory corruption in Safari's web content rendering engine causes an unexpected application crash when processing maliciously crafted web content. Affected are Apple Safari, iOS and iPadOS, and macOS Tahoe - all prior to version 26.5.2. The CVSS vector (AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H) confirms that a remote unauthenticated attacker can trigger this condition simply by luring a user to visit a hostile page, with impact limited to availability (process crash/DoS). No public exploit code identified and not listed in CISA KEV at time of analysis; vendor-released patches are available.
Use-after-free memory corruption in Apple's WebKit browser engine causes an unexpected process crash when rendering maliciously crafted web content. Safari (all versions prior to 26.5.2), iOS and iPadOS (all versions prior to 26.5.2), and macOS Tahoe (all versions prior to 26.5.2) are affected across Apple's full consumer device ecosystem. No public exploit or CISA KEV listing exists at time of analysis; impact is confirmed as denial-of-service (process crash) only, with no confidentiality or integrity compromise.
Heap buffer overflow in snap7 v1.4.3 crashes the embedded S7 server when processing a specially crafted write function packet targeting TS7Worker::PerformFunctionWrite() in /core/s7_server.cpp. Systems deploying snap7 as an S7-compatible communication server - common in industrial SCADA, HMI, and IoT gateway applications bridging to Siemens S7-series PLCs - can be disrupted remotely with no privileges required per the CVSS PR:N designation. No public exploit identified at time of analysis, and the EPSS score of 0.19% (8th percentile) reflects minimal current exploitation activity; however, operational impact in OT environments can exceed what the CVSS Availability score alone suggests.
Cross-site request forgery in Squidex CMS v7.21.0 and earlier allows a remote attacker to escalate privileges by targeting the IdentityServer account profile endpoint without requiring any authentication of their own. A proof-of-concept exploit is publicly documented, including a video walkthrough, and SSVC analysis classifies the attack as automatable with partial technical impact. No active exploitation has been confirmed by CISA KEV at time of analysis.
A heap buffer overflow in the HighPriorityASDUQueue_hasUnconfirmedIMessages function of lib60870 v2.3.3 to v2.3.6 allows attackers to cause a Denial of Service (DoS) via a crafted payload.
Double free memory corruption in Apple's web content processing engine crashes the rendering process on iOS/iPadOS (pre-26.5.2) and macOS Tahoe (pre-26.5.2) when a device processes attacker-controlled web content. The CVSS vector (AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H) confirms network delivery with no authentication required, though a user must interact with the malicious content, and impact is limited to availability - no confidentiality or integrity compromise is indicated. No public exploit code and no CISA KEV listing exist at time of analysis, placing this in a lower active-risk tier despite the ubiquity of affected Apple platforms.