Regulatory Triage ICT Providers

Apple

Operating Systems

Period: 7d 14d 30d 90d
3
Open CVEs
0
Exploited
0
KEV
0
Unpatched
0
No Workaround
2
Internet-facing

Why this provider is risky now

This provider has 3 open CVE(s) in the last 7 days. 2 affect internet-facing services.

2 Internet-facing

Top Risky CVEs

CVE-2026-39842
Act Now
Remote code execution as root in OpenRemote IoT platform's rules engine (versions prior to 1.20.3) allows authenticated non-superuser attackers with write:rules role to execute arbitrary Java code via unsandboxed JavaScript rulesets. The vulnerability stems from Nashorn ScriptEngine.eval() executing user-supplied JavaScript without ClassFilter restrictions, enabling Java.type() access to any JVM class including java.lang.Runtime. Attackers can compromise the entire multi-tenant platform, steal c
Within 24 hours: Inventory all OpenRemote deployments and document current versions; restrict write:rules role to only trusted superuser accounts and disable rules engine if possible. Within 7 days: Test upgrade path to OpenRemote 1.20.3 or later in a non-production environment; implement network segmentation to limit rules engine access. Within 30 days: Complete upgrade of all production OpenRemote instances to version 1.20.3 or later; audit logs for any rules created by non-superuser accounts since deployment; validate tenant isolation is functioning post-patch.
Edge exposure ICT dependency Patched
Why flagged?
NIS2 Relevant
  • CRITICAL severity
  • Internet-facing (CWE-94: Code Injection)
  • Third-party ICT: Docker, PostgreSQL, Apple
  • Moderate evidence (PoC / elevated EPSS)
DORA Relevant
  • CRITICAL severity
  • ICT provider: Docker (Dev Platforms & CI/CD)
  • ICT provider: PostgreSQL (Databases & Data Platforms)
  • ICT provider: Apple (Operating Systems)
9.9
CVSS
0.1%
EPSS
50
Priority
CVE-2026-3861
This Month
LINE client for iOS prior to 26.3.0 can be remotely exploited via crafted web pages opened in the in-app browser to trigger repeated OS-level dialogs, causing temporary denial of service to the affected iOS device. This requires user interaction to open the malicious page but needs no authentication, making it accessible to any attacker who can deliver a link to a victim. No active exploitation has been confirmed in CISA KEV, but the vulnerability is publicly disclosed with proof-of-concept details available on HackerOne.
ICT dependency Patched
Why flagged?
6.5
CVSS
0.0%
EPSS
33
Priority
CVE-2026-40883
This Month
### Summary goshs contains a cross-site request forgery issue in its state-changing HTTP GET routes. An external attacker can cause an already authenticated browser to trigger destructive actions such
Edge exposure ICT dependency Patched
Why flagged?

By Exposure

Internet-facing
2
Mgmt / Admin Plane
0
Identity / Auth
0
Internal only
1

By Exploitability

Known exploited
0
Public PoC
0
High EPSS (>30%)
0
Remote unauthenticated
1
Local only
0

By Remediation

Patch available
3
No patch
0
Workaround available
1
No workaround
0

Affected Services / Product Families

Apple
3 CVE(s)
CVE-2026-39842 CRITICAL Patched
CVE-2026-40883 MEDIUM Patched
CVE-2026-3861 MEDIUM Patched

Recommended Actions

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy