Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L
Lifecycle Timeline
4DescriptionCVE.org
A privacy issue was addressed by removing sensitive data. This issue is fixed in iOS 18.7.7 and iPadOS 18.7.7, iOS 26.4 and iPadOS 26.4, macOS Sonoma 14.8.5, macOS Tahoe 26.4, tvOS 26.4, visionOS 26.4, watchOS 26.4. An app may be able to enumerate a user's installed apps.
AnalysisAI
A privacy vulnerability in Apple's operating systems allows third-party applications to enumerate a user's installed applications, resulting in unauthorized information disclosure about device software inventory. The vulnerability affects iOS and iPadOS versions prior to 18.7.7 and 26.4, macOS Sonoma prior to 14.8.5, macOS Tahoe 26.4, tvOS 26.4, visionOS 26.4, and watchOS 26.4 across all affected product lines. An attacker can exploit this vulnerability by crafting a malicious application that leverages the enumeration capability to profile a user's installed software, potentially enabling further targeted attacks or privacy inference attacks based on application usage patterns.
Technical ContextAI
The vulnerability exists in Apple's application sandboxing and inter-process communication mechanisms across multiple operating systems (iOS/iPadOS, macOS, tvOS, visionOS, watchOS as indicated by CPE strings cpe:2.3:a:apple:ios_and_ipados, cpe:2.3:a:apple:macos, cpe:2.3:a:apple:tvos, cpe:2.3:a:apple:visionos, cpe:2.3:a:apple:watchos). The root cause appears to be insufficient access controls or improper filtering of sensitive system metadata that exposes installed application information to unprivileged processes. This is classified as an Information Disclosure vulnerability where the attack surface involves application-level queries to system APIs that should be restricted or require explicit user consent. The underlying weakness relates to improper restriction of sensitive resource access, where applications can query the device's package or application registry without proper authorization checks.
RemediationAI
Immediately update to the patched versions: iOS and iPadOS 18.7.7 or 26.4, macOS Sonoma 14.8.5, macOS Tahoe 26.4, tvOS 26.4, visionOS 26.4, or watchOS 26.4, depending on affected device. Enable automatic security updates in Settings > General > Software Update > Automatic Updates to ensure timely installation of patches. Until patching is complete, users should review installed third-party applications and uninstall untrusted or unnecessary applications that could exploit this vulnerability to profile device software inventory. Administrators in enterprise environments should enforce mandatory update policies through MDM/MAM solutions and monitor for suspicious applications requesting system information APIs.
Same weakness CWE-200 – Information Exposure
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-15157