Apple
Monthly
A logic issue in macOS Tahoe allows a malicious application to escape its sandbox and execute code outside of the restricted security boundary. This vulnerability affects macOS versions prior to 26.4 and represents a critical sandbox bypass that could enable arbitrary code execution with elevated privileges. While no CVSS score or active exploitation data is currently available, the sandbox escape capability makes this a high-priority patch for all affected macOS users.
A cross-site scripting (XSS) vulnerability exists in Apple's Safari browser and iOS/iPadOS operating systems due to insufficient input validation in website content handling. An attacker can craft a malicious website that, when visited by a user, executes arbitrary JavaScript in the context of the victim's browser, potentially stealing credentials, session tokens, or performing actions on behalf of the user. Apple has released patches across Safari 26.4, iOS 18.7.7, iPadOS 18.7.7, iOS 26.4, iPadOS 26.4, and macOS Tahoe 26.4 to address this logic flaw, though no CVSS score, EPSS data, or KEV status has been publicly disclosed, suggesting this may be a proactive disclosure rather than an actively exploited vulnerability.
A permissions validation flaw in macOS Tahoe allows applications to circumvent Gatekeeper security checks, potentially enabling execution of untrusted or malicious code that would normally be blocked by Apple's code signing and notarization mechanisms. This vulnerability affects macOS Tahoe versions prior to 26.4 and is fixed in the 26.4 release. An attacker with the ability to distribute a specially crafted application could bypass endpoint security controls designed to protect users from unsigned or malicious software.
A privacy vulnerability in macOS allows applications to access sensitive user data through improper handling of temporary files. The issue affects macOS Sequoia (versions prior to 15.7.5), macOS Sonoma (versions prior to 14.8.4), and macOS Tahoe (versions prior to 26.3). An unprivileged application could exploit weak temporary file protections to read or manipulate sensitive data, though no active exploitation in the wild or public proof-of-concept has been confirmed at this time.
A SQL injection vulnerability (CVSS 5.3). Remediation should follow standard vulnerability management procedures. Vendor patch is available.
The App Builder - Create Native Android & iOS Apps On The Flight WordPress plugin up to version 5.5.10 contains a privilege escalation vulnerability in its REST API registration endpoint that allows unauthenticated attackers to register accounts with the wcfm_vendor role, bypassing WCFM Marketplace's vendor approval workflow. The verify_role() function in AuthTrails.php explicitly whitelists the wcfm_vendor role without proper authorization checks, enabling attackers to immediately gain vendor-level privileges including product management, order access, and store management on affected WordPress installations. This vulnerability has a CVSS score of 6.5 with low attack complexity and no authentication requirements, making it a moderate-to-significant risk for WordPress sites using both this plugin and WCFM Marketplace.
Halloy, an IRC application written in Rust, fails to properly restrict file permissions on its configuration directory and files on *nix and macOS systems prior to commit f180e41061db393acf65bc99f5c5e7397586d9cb, resulting in world-readable access to plaintext credentials. Any local user on an affected system can read sensitive authentication data stored in config.toml or referenced password files, leading to credential compromise. While no CVSS score or EPSS data is currently available, the vulnerability represents a direct information disclosure risk with low exploitation complexity.
MinIO AIStor's Security Token Service (STS) AssumeRoleWithLDAPIdentity endpoint contains two combined vulnerabilities that enable LDAP credential brute-forcing: distinguishable error messages allowing username enumeration (CWE-204) and missing rate limiting (CWE-307). All MinIO deployments through the final open-source release with LDAP authentication enabled are affected. Unauthenticated network attackers can enumerate valid LDAP usernames, perform unlimited password guessing attacks, and obtain temporary AWS-style STS credentials granting full access to victim users' S3 buckets and objects.
A man-in-the-middle vulnerability in Cryptomator for iOS versions prior to 2.8.3 allows attackers who can modify the vault.cryptomator configuration file to intercept authentication tokens by substituting malicious API endpoints while maintaining legitimate authentication endpoints. This affects users unlocking Hub-backed vaults in environments where attackers have write access to vault configuration files. No evidence of active exploitation (not in CISA KEV) has been reported, and patches are available.
A Reflected Cross-Site Scripting (XSS) vulnerability exists in the error_description parameter of Gainsight Assist, allowing unauthenticated attackers to inject malicious JavaScript payloads that execute in victims' browsers. The vulnerability is particularly dangerous because attackers can bypass the application's Web Application Firewall (WAF) using Safari-specific event handlers such as onpagereveal, which are not typically filtered by standard XSS protections. While the CVSS score of 6.1 indicates moderate severity with limited direct impact (integrity and availability degradation rather than confidentiality breach), the attack requires minimal technical complexity and no special privileges, making it exploitable by any attacker who can craft a malicious URL and socially engineer a victim into clicking it.
OpenClaw prior to version 2026.2.22 on macOS allows local attackers with user-level privileges to execute unauthorized binaries by bypassing path validation in the exec-approval allowlist mode through basename-only entries. An attacker can execute same-named local binaries without approval when the security allowlist policy is enabled, circumventing intended path-based restrictions. A patch is not currently available.
Path traversal in Apple and Kubernetes DAG management APIs allows authenticated attackers to access arbitrary files outside the intended directory by injecting URL-encoded forward slashes into file name parameters on GET, DELETE, RENAME, and EXECUTE endpoints. The vulnerability affects systems where a previous patch (CVE-2026-27598) only secured the CREATE endpoint while leaving other API functions unprotected. An attacker with valid credentials can read, modify, or execute unintended DAG files on the affected system.
JWT algorithm confusion in MinIO's OpenID Connect authentication enables attackers with knowledge of the OIDC ClientSecret to forge identity tokens and obtain S3 credentials with unrestricted IAM policies, including administrative access. Affected users can have their identities impersonated and their data accessed, modified, or deleted with 100% attack success rate. The vulnerability impacts MinIO deployments across Docker, Apple, and Microsoft platforms, with no patch currently available.
Unauthenticated attackers can stream any private or paid video in PHP, Oracle, and Apple applications through a path traversal vulnerability in the HLS streaming endpoint. The flaw exploits a split-oracle condition where authorization validation and file access use different parsing logic on the videoDirectory parameter, allowing attackers to bypass authentication checks while accessing unauthorized content. No patch is currently available for this high-severity vulnerability.
The dasel YAML reader contains an unbounded alias expansion vulnerability (CWE-674) that allows attackers to trigger extreme CPU and memory consumption through specially crafted YAML documents. Affected versions include dasel v3.0.0 through v3.3.1 and the current default branch. An attacker who can supply YAML input-via CLI, file processing, or library usage-can cause denial of service with a malicious 342-byte payload that fails to complete within 5 seconds and exhibits unbounded resource growth, as demonstrated by the provided proof-of-concept.
OpenClaw versions before 2026.2.22 contain an allowlist parsing flaw in the macOS companion app that enables authenticated operators with elevated privileges to bypass command execution controls and run arbitrary commands on paired hosts. The vulnerability affects systems with operator.write access and macOS beta nodes, allowing attackers to craft malicious shell-chain payloads that circumvent validation checks. A security patch is available.
SiYuan's Bazaar marketplace fails to sanitize package metadata (displayName, description) before rendering in the Electron desktop application, allowing stored XSS that escalates to arbitrary remote code execution. Any SiYuan user (versions ≤3.5.9) who browses the Bazaar will automatically execute attacker-controlled code with full OS-level privileges when a malicious package card renders-no installation or user interaction required. A functional proof-of-concept exists demonstrating command execution via img onerror handlers, and this vulnerability is actively tracked in GitHub's advisory database (GHSA-mvpm-v6q4-m2pf), making it a critical supply-chain risk to the SiYuan user community.
SiYuan's Bazaar (community package marketplace) fails to sanitize HTML in package README files during rendering, allowing stored XSS that escalates to remote code execution due to unsafe Electron configuration. An attacker can submit a malicious package with embedded JavaScript in the README that executes with full Node.js access when any user views the package details in the Bazaar. This affects SiYuan versions 3.5.9 and earlier across Windows, macOS, and Linux, with a CVSS score of 9.6 and multiple real-world exploitation vectors including data theft, reverse shells, and persistent backdoors.
Arturia Software Center on macOS installs plugin uninstall scripts with world-writable permissions (777) in root-owned directories, allowing local attackers to modify these scripts and achieve privilege escalation when the Privileged Helper executes them during plugin removal. This vulnerability affects any macOS user with the Arturia Software Center installed and requires local access and user interaction to exploit. No patch is currently available.
The Arturia Software Center on macOS contains insufficient code signature validation in its Privileged Helper component, allowing unauthenticated clients to connect and execute privileged actions without proper authorization. This vulnerability affects all versions of Arturia Software Center and enables local privilege escalation attacks where an unprivileged user can escalate to root or system-level privileges. While no CVSS score or EPSS data is publicly available, the authentication bypass nature and privilege escalation impact classify this as a high-severity issue; no KEV listing or public proof-of-concept has been confirmed at this time.
OpenClaw versions prior to 2026.2.22 contain an allowlist bypass vulnerability in the macOS node-host system.run function that permits remote attackers with high privileges to execute arbitrary commands by exploiting improper parsing of command substitution tokens. Attackers can craft malicious shell payloads using command substitution syntax within double-quoted strings to circumvent security allowlists and achieve code execution. A patch is available from the vendor, and the vulnerability has been documented by VulnCheck with public advisory and GitHub security advisory references.
A denial of service vulnerability in A cross-origin (CVSS 5.4). Remediation should follow standard vulnerability management procedures.
SiYuan's mobile file tree fails to sanitize notebook names in WebSocket rename events, allowing authenticated users to inject arbitrary HTML and JavaScript that executes in other clients' browsers. When combined with Electron's insecure configuration (nodeIntegration enabled, contextIsolation disabled), this stored XSS escalates to remote code execution with full Node.js privileges on affected desktop and mobile clients. The vulnerability affects users with notebook rename permissions across Docker, Node.js, Python, and Apple platforms.
The issue was addressed with improved memory handling. This issue is fixed in iOS 17.2 and iPadOS 17.2, macOS Sonoma 14.2, Safari 17.2, iOS 16.7.15 and iPadOS 16.7.15, iOS 15.8.7 and iPadOS 15.8.7. [CVSS 8.8 HIGH]
Unsafe navigation in Navigation in Google Chrome on iOS versions up to 146.0.7680.71 contains a security vulnerability.
Arbitrary code execution in Jellyfin iOS GitHub Actions workflow. CVSS 10.0.
Supabase Auth allows remote attackers to hijack user sessions by crafting fraudulent ID tokens when Apple or Azure OAuth providers are configured, enabling unauthorized access to victim accounts without requiring user interaction. An attacker can forge a valid JWT token for any target email address and exchange it at the token endpoint to obtain legitimate session credentials, effectively impersonating arbitrary users. This affects organizations using Supabase with Apple or Azure authentication enabled, with no patch currently available to remediate the vulnerability.
Cisco IOS XR Software's IS-IS routing implementation fails to properly validate incoming protocol packets, enabling an adjacent network attacker to trigger repeated process crashes and temporary routing outages. An attacker with Layer 2 adjacency can send malformed IS-IS packets to force denial of service conditions affecting network connectivity. No patch is currently available for this high-severity vulnerability.
Cisco IOS XR Software contains a task group mapping flaw in a specific CLI command that allows authenticated local attackers to bypass privilege checks and gain full administrative access to affected devices. An attacker with low-privileged credentials can exploit this misconfiguration to execute unauthorized administrative actions without proper authorization validation. No patch is currently available.
Insufficient CLI argument validation in Cisco IOS XR Software enables authenticated local attackers to achieve root-level code execution through crafted commands. An attacker with low-privileged account access can exploit this vulnerability to bypass privilege restrictions and execute arbitrary commands on the affected device's underlying operating system. No patch is currently available for this high-severity vulnerability.
Domain spoofing in Focus for iOS versions prior to 148.2 allows remote attackers to display malicious content under trusted domain names through navigation stalling and iframe redirection techniques, without requiring user interaction beyond the initial page load. An attacker can leverage this to conduct phishing attacks or distribute misleading content by presenting spoofed trusted domains in the browser UI. No patch is currently available for this vulnerability.
Acronis Cyber Protect and Cloud Agent on macOS before specific builds contain an insecure Unix socket permissions vulnerability that allows local authenticated users to escalate privileges and gain complete system control. An attacker with local access can exploit this misconfiguration to read sensitive data, modify system files, and execute arbitrary commands with elevated rights. No patch is currently available for this HIGH severity vulnerability.
Remote denial-of-service in RustDesk Client through 1.4.5 allows network-positioned attackers to disrupt the remote-access agent by manipulating heartbeat synchronization traffic, abusing weak authenticity checks in the hbbs_http/sync.rs heartbeat loop to trigger the stop-service handler. Publicly available exploit code exists, but EPSS is very low (0.02%, 5th percentile) and there is no public exploit identified at time of analysis being tracked as actively exploited (not in CISA KEV).
Security vulnerability in RustDesk remote desktop client/server. One of 6+ critical CVEs affecting the open-source remote access platform.
RustDesk Server Pro through version 1.7.5 transmits sensitive address book credentials in cleartext over the network heartbeat synchronization API, enabling attackers to intercept and obtain authentication credentials without authentication. The vulnerability affects Windows, macOS, and Linux deployments where the address book sync functionality is enabled. No patch is currently available.
RustDesk Client through version 1.4.5 transmits sensitive preset address book credentials in cleartext during heartbeat synchronization, enabling network eavesdropping attacks across Windows, macOS, Linux, iOS, and Android platforms. An attacker positioned to intercept network traffic can capture authentication credentials by sniffing the unencrypted JSON payload. No patch is currently available for this high-severity vulnerability (CVSS 8.7).
Security vulnerability in RustDesk remote desktop client/server. One of 6+ critical CVEs affecting the open-source remote access platform.
Security vulnerability in RustDesk remote desktop client/server. One of 6+ critical CVEs affecting the open-source remote access platform.
Configuration tampering in RustDesk Client through 1.4.5 allows a network-positioned attacker to manipulate Application API messages exchanged between the client and its rendezvous/sync server, altering client strategy and configuration options. The flaw spans every supported platform (Windows, macOS, Linux, iOS, Android, WebClient) and stems from insecure handling in the Strategy merge loop and Config::set_options(), giving an MitM attacker the ability to silently rewrite client behavior. No public exploit identified at time of analysis, and EPSS exploitation probability is very low at 0.05% (16th percentile).
Password brute-forcing weakness in RustDesk Server Pro through 1.7.5 and RustDesk Server (OSS) through 1.1.15 allows remote attackers to attack the peer authentication and API login modules without triggering rate limiting, while the SHA256(SHA256(pwd+salt)+challenge) construction provides insufficient computational cost to resist offline guessing. The flaw combines CWE-307 (missing throttling of authentication attempts) with weak password hashing on Windows, macOS, and Linux deployments, and no public exploit has been identified at time of analysis.
Authentication bypass in RustDesk Client through 1.4.5 across Windows, macOS, Linux, iOS, and Android allows remote attackers to replay captured session IDs and login proofs to impersonate legitimate peers without knowing the original credentials. The flaw stems from insufficient computational effort in the hash_password() routine combined with reusable session identifiers in the login proof construction, enabling capture-replay attacks against the peer authentication module. No public exploit identified at time of analysis, and EPSS exploitation probability is very low at 0.04% (12th percentile).
RustDesk Client through version 1.4.5 on Windows, macOS, and Linux uses weak password hashing and improper object prototype handling in its password security and configuration encryption modules, allowing local authenticated attackers to extract embedded sensitive data including passwords and machine identifiers. The vulnerability affects critical cryptographic functions including symmetric_crypt() and decrypt_str_or_original(), enabling attackers with local access and valid credentials to compromise encrypted credentials and system identifiers. No patch is currently available.
Privilege escalation in RustDesk Client through version 1.4.5 on Windows, macOS, Linux, iOS, and Android allows unauthenticated remote attackers to abuse API sync and configuration management functions. The vulnerability in the rendezvous mediator and HTTP sync modules enables attackers to gain elevated privileges without user interaction. No patch is currently available for affected users.
RustDesk Server Pro through version 1.7.5 uses weak cryptographic algorithms in configuration string generation and web console export functions, enabling attackers to extract sensitive embedded data from exported configurations. This vulnerability affects Windows, macOS, and Linux deployments and requires no authentication or user interaction to exploit. No patch is currently available.
RustDesk Client through version 1.4.5 uses a broken cryptographic algorithm that allows attackers to retrieve sensitive embedded data during config import, URI scheme handling, or CLI operations across Windows, macOS, Linux, iOS, Android, and web clients. An unauthenticated remote attacker can exploit this vulnerability without user interaction to extract sensitive configuration information. No patch is currently available for this high-severity vulnerability.
Command injection in exiftool's PNG file parser on macOS allows remote attackers to execute arbitrary OS commands by manipulating the DateTimeOriginal argument in the SetMacOSTags function. Public exploit code exists for this vulnerability, and affected users should upgrade to version 13.50 or later to remediate the issue.
Address bar spoofing in Firefox before 148 allows malicious scripts to desynchronize the displayed URL from actual web content before receiving a response, enabling phishing attacks.
OpenClaw's mDNS/Bonjour discovery beacons transmit unauthenticated TXT records that iOS, macOS, and Android clients treat as authoritative for routing and TLS certificate pinning, allowing an attacker on a shared LAN to advertise a rogue service and redirect connections to attacker-controlled endpoints. An attacker can exploit this to bypass TLS pinning validation and potentially capture Gateway credentials through man-in-the-middle attacks. The vulnerability affects OpenClaw versions prior to 2026.2.14 and requires network proximity but no user interaction.
Firefox for iOS before version 147.2.1 fails to properly synchronize the address bar with page content when malicious scripts interfere with new tab loading, enabling attackers to conduct HTML spoofing attacks under trusted domains. An attacker can exploit this through a malicious webpage to deceive users into believing they are viewing legitimate content from a trusted site. This vulnerability requires user interaction to trigger but has no patch currently available.
Apple's kernel across all platforms (iOS, macOS, watchOS, visionOS, tvOS) contains a memory corruption vulnerability (CVE-2026-20700, CVSS 7.8) that allows attackers with memory write capability to execute arbitrary code at the kernel level. KEV-listed with Apple confirming reports of sophisticated in-the-wild exploitation, this represents an active zero-day targeting the Apple ecosystem at its most fundamental security boundary.
Deleted notes on affected Apple iOS and iPadOS devices remain accessible due to improper state management, allowing unauthenticated remote attackers to discover sensitive deleted content without user interaction. This information disclosure vulnerability affects iOS 26.3, iPadOS 26.3, iOS 18.7.5, and iPadOS 18.7.5, with no patch currently available for earlier versions.
A privacy issue was addressed with improved private data redaction for log entries. This issue is fixed in macOS Tahoe 26.3. [CVSS 3.3 LOW]
Sandboxed applications on Apple platforms (macOS Tahoe, Sonoma, Sequoia, iOS, and iPadOS) can bypass app state observability restrictions to access sensitive user data. A local attacker with app execution privileges could exploit this information disclosure vulnerability to observe data from other applications. Patches are available in macOS Tahoe 26.3, macOS Sonoma 14.8.4, macOS Sequoia 15.7.4, iOS 18.7.5, and iPadOS 18.7.5.
Unauthorized access to sensitive user data in iOS and iPadOS results from improper state management in authorization checks, allowing local applications to bypass access restrictions. This medium-severity vulnerability affects Apple iOS/iPadOS users running versions prior to 18.7.5 and 26.3, with no patch currently available. A malicious app with user permissions could extract confidential information without additional user interaction.
Race condition in Apple macOS/iOS symlink handling allows privilege escalation. Fixed in macOS Tahoe 26.3, macOS Sonoma 14.8.4, iOS 18.7.5.
Safari web extensions on Apple platforms can leak user tracking information due to inadequate state management controls, allowing websites to identify and monitor individual users across browsing sessions. This vulnerability affects iOS, iPadOS, macOS, and visionOS, and is resolved in version 26.3 of each platform. The low CVSS score reflects limited direct user impact, though it represents a privacy concern for Safari users.
Information disclosure in Apple's image processing across iOS, iPadOS, macOS, tvOS, and visionOS allows local attackers to extract sensitive user data by supplying a specially crafted image file. The vulnerability requires user interaction to trigger the malicious image processing and affects multiple OS versions prior to their patched releases. No patch is currently available for affected users.
iOS and iPadOS devices expose sensitive user information to attackers with physical access to locked devices due to improper data handling in the system. The vulnerability allows unauthorized viewing of confidential information without requiring authentication or user interaction. Apple patched this information disclosure flaw in iOS 26.3 and iPadOS 26.3.
Mail content filtering bypass in Apple macOS, iOS, and iPadOS allows remote content to load in message previews despite user-disabled remote content settings. An attacker can exploit this logic flaw to track user engagement or deliver malicious content that bypasses the intended privacy protection. Patches are available in macOS Sequoia 15.7.4, iOS 18.7.5, iPadOS 18.7.5, macOS Tahoe 26.3, and macOS Sonoma 14.8.4.
A logic issue was addressed with improved checks. This issue is fixed in watchOS 26.3, tvOS 26.3, macOS Tahoe 26.3, macOS Sonoma 14.8.4, macOS Sequoia 15.7.4, iOS 18.7.5 and iPadOS 18.7.5, visionOS 26.3, iOS 26.3 and iPadOS 26.3. [CVSS 3.1 LOW]
macOS path validation bypass allows local authenticated users to read sensitive user data through improper directory path parsing. The vulnerability requires local access and valid credentials, limiting the attack surface to users already on the affected system. No patch is currently available for this medium-severity issue affecting macOS Tahoe 26.3 and earlier versions.
Sandbox escape in Apple macOS, iOS, and watchOS allows local authenticated attackers to break out of application sandboxes and gain unauthorized access to system resources and other applications' data. The vulnerability stems from insufficient validation logic in sandbox enforcement mechanisms, enabling privilege escalation with high impact on confidentiality, integrity, and availability across affected devices. No patch is currently available.
Unauthorized access to sensitive user data in macOS can be achieved by local applications due to improper authorization state management affecting macOS Tahoe 26.2 and earlier. An attacker with local access and basic user privileges can exploit this flaw to read confidential information without user interaction. No patch is currently available for this vulnerability.
The issue was resolved by sanitizing logging. This issue is fixed in iOS 26.3 and iPadOS 26.3, iOS 18.7.5 and iPadOS 18.7.5. [CVSS 3.3 LOW]
macOS devices running Sequoia 15.7.3 and earlier or Tahoe 26.2 and earlier contain an authorization bypass that permits an attacker with physical access to a locked device to view sensitive user information through improper state management. This vulnerability affects all macOS users and carries a MEDIUM severity rating with no available patch at this time. The flaw requires direct device access and does not enable code execution or system modification.
iOS and iPadOS devices with physical access vulnerabilities allow attackers to bypass authorization controls and access sensitive user information on locked devices through improper state management. The flaw affects multiple iOS versions including 18.7.5 and earlier, requiring only physical access to the device with no user interaction or elevated privileges. Apple has issued patches in iOS 26.3 and iPadOS 26.3, though updates for earlier versions (iOS 18.7.5 and iPadOS 18.7.5) are also available.
Arbitrary file write vulnerability in Apple's macOS, iOS, iPadOS, and Safari resulting from improper path handling logic allows remote attackers to write files without authentication or user interaction. Affected versions include macOS Tahoe 26.3 and earlier, macOS Sonoma 14.8.4 and earlier, iOS 18.7.5 and earlier, and Safari 26.3 and earlier. No patch is currently available for this high-severity vulnerability.
Unprivileged local users on macOS can exploit a package validation bypass to escalate privileges to root through a vulnerable application. This high-severity issue affects macOS systems up to version 26.2 and requires local access with standard user privileges. A patch is not yet available, leaving affected systems exposed to privilege escalation attacks.
A logic issue was addressed with improved validation. This issue is fixed in iOS 18.7.5 and iPadOS 18.7.5, Safari 26.3, macOS Tahoe 26.3. [CVSS 3.3 LOW]
Sensitive information disclosure in Apple iOS and iPadOS results from improper state management in authorization checks, allowing an attacker with physical access to a locked device to view confidential user data. The vulnerability affects multiple iOS and iPadOS versions and currently lacks an available patch. Local privilege or device access is required, making this a risk primarily to users whose devices may be physically compromised.
A local privilege escalation vulnerability in Apple's operating systems (macOS, iOS, visionOS, and iPadOS) allows authenticated users to trigger a buffer overflow condition resulting in denial of service through application crashes. The vulnerability stems from improper memory handling and affects multiple Apple platforms including watchOS and tvOS. Currently, no patch is available, though the vendor has indicated fixes will be included in upcoming OS updates.
Improper path validation in Apple's macOS, iOS, and visionOS allows local attackers to bypass directory access restrictions and read sensitive user data through crafted file paths. An authenticated user with local access can exploit this parsing weakness without user interaction to access confidential information. No patch is currently available for this vulnerability.
Remote denial-of-service attacks against Apple's macOS, iOS, iPadOS, Safari, and visionOS result from improper memory handling that allows unauthenticated attackers to crash affected systems over the network. The vulnerability affects multiple Apple platforms and requires no user interaction or elevated privileges to exploit. Patches are available for macOS Tahoe 26.3, iOS/iPadOS 18.7.5, visionOS 26.3, and Safari 26.3.
Denial-of-service attacks targeting Apple's Bluetooth stack (macOS, iOS, visionOS, watchOS) can be triggered by attackers with network access through specially crafted packets, causing service interruption without requiring user interaction. An attacker positioned on the same network segment can exploit insufficient input validation to crash Bluetooth functionality across affected devices. No patch is currently available for this vulnerability.
Insufficient data redaction in Apple's logging mechanisms across macOS, iOS, watchOS, and tvOS allows unauthenticated attackers to view sensitive user information without user interaction. This network-accessible vulnerability affects multiple Apple platforms and products with a CVSS score of 7.5. Patches are available in watchOS 26.3, iOS 26.3, iPadOS 26.3, tvOS 26.3, and macOS Tahoe 26.3.
Malicious applications on macOS can intercept and read notifications synced from other iCloud-connected devices due to improper access controls on notification data. This local privilege escalation affects macOS versions prior to Tahoe 26.3 and requires user interaction to execute the malicious app. An attacker with local access could gain unauthorized visibility into private notifications and communications across a user's device ecosystem.
This issue was addressed with improved data protection. This issue is fixed in macOS Tahoe 26.3. [CVSS 5.5 MEDIUM]
A logging issue was addressed with improved data redaction. This issue is fixed in macOS Tahoe 26.3. [CVSS 3.3 LOW]
Information disclosure on locked iOS and iPadOS devices stems from improper UI state management, allowing an attacker with physical device access to view sensitive user data. The vulnerability affects multiple Apple mobile OS versions and currently lacks a public patch, though fixes are available in iOS 26.3, iPadOS 26.3, iOS 18.7.5, and iPadOS 18.7.5.
Memory handling flaws in Apple's macOS, iOS, iPadOS, and Safari allow remote attackers to crash affected processes by serving specially crafted web content, requiring only user interaction to trigger the denial of service. The vulnerability affects multiple Apple platforms and products across recent versions, with fixes available in macOS Tahoe 26.3, iOS 18.7.5, iPadOS 18.7.5, and Safari 26.3. No patches are currently available for all affected versions.
An input validation issue was addressed. This issue is fixed in iOS 26.3 and iPadOS 26.3. [CVSS 2.4 LOW]
Installed application enumeration in Apple operating systems (macOS, iOS, iPadOS, tvOS, visionOS, watchOS) allows local applications to discover what other apps a user has installed through insufficient privacy controls. An attacker can exploit this through a malicious app to profile a user's installed software without explicit permission. This vulnerability affects multiple Apple platforms and requires user interaction to execute a malicious application.
iPhone Mirroring in iOS and iPadOS allows an attacker with physical device access to bypass UI protections and capture screenshots containing sensitive information that should remain hidden during the mirroring session. The vulnerability stems from insufficient state management in the user interface, enabling unauthorized viewing of private data on the iPhone while it is being mirrored to a Mac. No patch is currently available for this medium-severity issue.
A logic issue was addressed with improved checks. This issue is fixed in iOS 26.3 and iPadOS 26.3. [CVSS 5.5 MEDIUM]
Denial of service in Apple Safari, iOS, iPadOS, and macOS results from improper memory handling when processing maliciously crafted web content, causing unexpected process crashes. An unauthenticated remote attacker can trigger this vulnerability through a specially crafted webpage, affecting users who view the malicious content. No patch is currently available for this vulnerability.
Denial of service affecting Apple's macOS, iOS, iPadOS, watchOS, tvOS, and visionOS results from a memory handling flaw that crashes processes when parsing malicious web content. An unauthenticated remote attacker can trigger unexpected application termination through crafted web pages, requiring only user interaction to visit a malicious site. A patch is not currently available for this medium-severity vulnerability.
Memory disclosure in Apple's image processing across macOS, iOS, iPadOS, tvOS, and visionOS allows local attackers with user interaction to leak sensitive process memory by submitting a specially crafted image file. The vulnerability requires no elevated privileges and affects multiple Apple operating system versions, with fixes available in watchOS 26.3, tvOS 26.3, macOS Tahoe 26.3, and corresponding iOS/iPadOS updates. An attacker could exploit this to extract confidential data from running processes on the targeted device.
macOS systems running versions prior to Tahoe 26.3 contain an improper permissions restriction that allows local applications to read sensitive user data without authorization. A threat actor with local access could exploit this vulnerability to exfiltrate protected information. A patch is currently unavailable for affected systems.
Improper temporary file handling in macOS allows local applications to read sensitive user data without user interaction. An attacker with local access and app execution privileges can bypass privacy controls to access confidential information. This vulnerability affects macOS Tahoe 26.3 and earlier, with no patch currently available.
Sandbox escape vulnerability in Apple's macOS, iOS, tvOS, and related platforms (CVE-2026-20628) permits malicious applications to break out of their sandbox restrictions through a permissions bypass. A local attacker with user interaction can achieve high-impact confidentiality and integrity violations by exploiting this weakness. Patches are available across multiple OS versions including macOS Tahoe 26.3, iOS 18.7.5, tvOS 26.3, and others.
A logic issue in macOS Tahoe allows a malicious application to escape its sandbox and execute code outside of the restricted security boundary. This vulnerability affects macOS versions prior to 26.4 and represents a critical sandbox bypass that could enable arbitrary code execution with elevated privileges. While no CVSS score or active exploitation data is currently available, the sandbox escape capability makes this a high-priority patch for all affected macOS users.
A cross-site scripting (XSS) vulnerability exists in Apple's Safari browser and iOS/iPadOS operating systems due to insufficient input validation in website content handling. An attacker can craft a malicious website that, when visited by a user, executes arbitrary JavaScript in the context of the victim's browser, potentially stealing credentials, session tokens, or performing actions on behalf of the user. Apple has released patches across Safari 26.4, iOS 18.7.7, iPadOS 18.7.7, iOS 26.4, iPadOS 26.4, and macOS Tahoe 26.4 to address this logic flaw, though no CVSS score, EPSS data, or KEV status has been publicly disclosed, suggesting this may be a proactive disclosure rather than an actively exploited vulnerability.
A permissions validation flaw in macOS Tahoe allows applications to circumvent Gatekeeper security checks, potentially enabling execution of untrusted or malicious code that would normally be blocked by Apple's code signing and notarization mechanisms. This vulnerability affects macOS Tahoe versions prior to 26.4 and is fixed in the 26.4 release. An attacker with the ability to distribute a specially crafted application could bypass endpoint security controls designed to protect users from unsigned or malicious software.
A privacy vulnerability in macOS allows applications to access sensitive user data through improper handling of temporary files. The issue affects macOS Sequoia (versions prior to 15.7.5), macOS Sonoma (versions prior to 14.8.4), and macOS Tahoe (versions prior to 26.3). An unprivileged application could exploit weak temporary file protections to read or manipulate sensitive data, though no active exploitation in the wild or public proof-of-concept has been confirmed at this time.
A SQL injection vulnerability (CVSS 5.3). Remediation should follow standard vulnerability management procedures. Vendor patch is available.
The App Builder - Create Native Android & iOS Apps On The Flight WordPress plugin up to version 5.5.10 contains a privilege escalation vulnerability in its REST API registration endpoint that allows unauthenticated attackers to register accounts with the wcfm_vendor role, bypassing WCFM Marketplace's vendor approval workflow. The verify_role() function in AuthTrails.php explicitly whitelists the wcfm_vendor role without proper authorization checks, enabling attackers to immediately gain vendor-level privileges including product management, order access, and store management on affected WordPress installations. This vulnerability has a CVSS score of 6.5 with low attack complexity and no authentication requirements, making it a moderate-to-significant risk for WordPress sites using both this plugin and WCFM Marketplace.
Halloy, an IRC application written in Rust, fails to properly restrict file permissions on its configuration directory and files on *nix and macOS systems prior to commit f180e41061db393acf65bc99f5c5e7397586d9cb, resulting in world-readable access to plaintext credentials. Any local user on an affected system can read sensitive authentication data stored in config.toml or referenced password files, leading to credential compromise. While no CVSS score or EPSS data is currently available, the vulnerability represents a direct information disclosure risk with low exploitation complexity.
MinIO AIStor's Security Token Service (STS) AssumeRoleWithLDAPIdentity endpoint contains two combined vulnerabilities that enable LDAP credential brute-forcing: distinguishable error messages allowing username enumeration (CWE-204) and missing rate limiting (CWE-307). All MinIO deployments through the final open-source release with LDAP authentication enabled are affected. Unauthenticated network attackers can enumerate valid LDAP usernames, perform unlimited password guessing attacks, and obtain temporary AWS-style STS credentials granting full access to victim users' S3 buckets and objects.
A man-in-the-middle vulnerability in Cryptomator for iOS versions prior to 2.8.3 allows attackers who can modify the vault.cryptomator configuration file to intercept authentication tokens by substituting malicious API endpoints while maintaining legitimate authentication endpoints. This affects users unlocking Hub-backed vaults in environments where attackers have write access to vault configuration files. No evidence of active exploitation (not in CISA KEV) has been reported, and patches are available.
A Reflected Cross-Site Scripting (XSS) vulnerability exists in the error_description parameter of Gainsight Assist, allowing unauthenticated attackers to inject malicious JavaScript payloads that execute in victims' browsers. The vulnerability is particularly dangerous because attackers can bypass the application's Web Application Firewall (WAF) using Safari-specific event handlers such as onpagereveal, which are not typically filtered by standard XSS protections. While the CVSS score of 6.1 indicates moderate severity with limited direct impact (integrity and availability degradation rather than confidentiality breach), the attack requires minimal technical complexity and no special privileges, making it exploitable by any attacker who can craft a malicious URL and socially engineer a victim into clicking it.
OpenClaw prior to version 2026.2.22 on macOS allows local attackers with user-level privileges to execute unauthorized binaries by bypassing path validation in the exec-approval allowlist mode through basename-only entries. An attacker can execute same-named local binaries without approval when the security allowlist policy is enabled, circumventing intended path-based restrictions. A patch is not currently available.
Path traversal in Apple and Kubernetes DAG management APIs allows authenticated attackers to access arbitrary files outside the intended directory by injecting URL-encoded forward slashes into file name parameters on GET, DELETE, RENAME, and EXECUTE endpoints. The vulnerability affects systems where a previous patch (CVE-2026-27598) only secured the CREATE endpoint while leaving other API functions unprotected. An attacker with valid credentials can read, modify, or execute unintended DAG files on the affected system.
JWT algorithm confusion in MinIO's OpenID Connect authentication enables attackers with knowledge of the OIDC ClientSecret to forge identity tokens and obtain S3 credentials with unrestricted IAM policies, including administrative access. Affected users can have their identities impersonated and their data accessed, modified, or deleted with 100% attack success rate. The vulnerability impacts MinIO deployments across Docker, Apple, and Microsoft platforms, with no patch currently available.
Unauthenticated attackers can stream any private or paid video in PHP, Oracle, and Apple applications through a path traversal vulnerability in the HLS streaming endpoint. The flaw exploits a split-oracle condition where authorization validation and file access use different parsing logic on the videoDirectory parameter, allowing attackers to bypass authentication checks while accessing unauthorized content. No patch is currently available for this high-severity vulnerability.
The dasel YAML reader contains an unbounded alias expansion vulnerability (CWE-674) that allows attackers to trigger extreme CPU and memory consumption through specially crafted YAML documents. Affected versions include dasel v3.0.0 through v3.3.1 and the current default branch. An attacker who can supply YAML input-via CLI, file processing, or library usage-can cause denial of service with a malicious 342-byte payload that fails to complete within 5 seconds and exhibits unbounded resource growth, as demonstrated by the provided proof-of-concept.
OpenClaw versions before 2026.2.22 contain an allowlist parsing flaw in the macOS companion app that enables authenticated operators with elevated privileges to bypass command execution controls and run arbitrary commands on paired hosts. The vulnerability affects systems with operator.write access and macOS beta nodes, allowing attackers to craft malicious shell-chain payloads that circumvent validation checks. A security patch is available.
SiYuan's Bazaar marketplace fails to sanitize package metadata (displayName, description) before rendering in the Electron desktop application, allowing stored XSS that escalates to arbitrary remote code execution. Any SiYuan user (versions ≤3.5.9) who browses the Bazaar will automatically execute attacker-controlled code with full OS-level privileges when a malicious package card renders-no installation or user interaction required. A functional proof-of-concept exists demonstrating command execution via img onerror handlers, and this vulnerability is actively tracked in GitHub's advisory database (GHSA-mvpm-v6q4-m2pf), making it a critical supply-chain risk to the SiYuan user community.
SiYuan's Bazaar (community package marketplace) fails to sanitize HTML in package README files during rendering, allowing stored XSS that escalates to remote code execution due to unsafe Electron configuration. An attacker can submit a malicious package with embedded JavaScript in the README that executes with full Node.js access when any user views the package details in the Bazaar. This affects SiYuan versions 3.5.9 and earlier across Windows, macOS, and Linux, with a CVSS score of 9.6 and multiple real-world exploitation vectors including data theft, reverse shells, and persistent backdoors.
Arturia Software Center on macOS installs plugin uninstall scripts with world-writable permissions (777) in root-owned directories, allowing local attackers to modify these scripts and achieve privilege escalation when the Privileged Helper executes them during plugin removal. This vulnerability affects any macOS user with the Arturia Software Center installed and requires local access and user interaction to exploit. No patch is currently available.
The Arturia Software Center on macOS contains insufficient code signature validation in its Privileged Helper component, allowing unauthenticated clients to connect and execute privileged actions without proper authorization. This vulnerability affects all versions of Arturia Software Center and enables local privilege escalation attacks where an unprivileged user can escalate to root or system-level privileges. While no CVSS score or EPSS data is publicly available, the authentication bypass nature and privilege escalation impact classify this as a high-severity issue; no KEV listing or public proof-of-concept has been confirmed at this time.
OpenClaw versions prior to 2026.2.22 contain an allowlist bypass vulnerability in the macOS node-host system.run function that permits remote attackers with high privileges to execute arbitrary commands by exploiting improper parsing of command substitution tokens. Attackers can craft malicious shell payloads using command substitution syntax within double-quoted strings to circumvent security allowlists and achieve code execution. A patch is available from the vendor, and the vulnerability has been documented by VulnCheck with public advisory and GitHub security advisory references.
A denial of service vulnerability in A cross-origin (CVSS 5.4). Remediation should follow standard vulnerability management procedures.
SiYuan's mobile file tree fails to sanitize notebook names in WebSocket rename events, allowing authenticated users to inject arbitrary HTML and JavaScript that executes in other clients' browsers. When combined with Electron's insecure configuration (nodeIntegration enabled, contextIsolation disabled), this stored XSS escalates to remote code execution with full Node.js privileges on affected desktop and mobile clients. The vulnerability affects users with notebook rename permissions across Docker, Node.js, Python, and Apple platforms.
The issue was addressed with improved memory handling. This issue is fixed in iOS 17.2 and iPadOS 17.2, macOS Sonoma 14.2, Safari 17.2, iOS 16.7.15 and iPadOS 16.7.15, iOS 15.8.7 and iPadOS 15.8.7. [CVSS 8.8 HIGH]
Unsafe navigation in Navigation in Google Chrome on iOS versions up to 146.0.7680.71 contains a security vulnerability.
Arbitrary code execution in Jellyfin iOS GitHub Actions workflow. CVSS 10.0.
Supabase Auth allows remote attackers to hijack user sessions by crafting fraudulent ID tokens when Apple or Azure OAuth providers are configured, enabling unauthorized access to victim accounts without requiring user interaction. An attacker can forge a valid JWT token for any target email address and exchange it at the token endpoint to obtain legitimate session credentials, effectively impersonating arbitrary users. This affects organizations using Supabase with Apple or Azure authentication enabled, with no patch currently available to remediate the vulnerability.
Cisco IOS XR Software's IS-IS routing implementation fails to properly validate incoming protocol packets, enabling an adjacent network attacker to trigger repeated process crashes and temporary routing outages. An attacker with Layer 2 adjacency can send malformed IS-IS packets to force denial of service conditions affecting network connectivity. No patch is currently available for this high-severity vulnerability.
Cisco IOS XR Software contains a task group mapping flaw in a specific CLI command that allows authenticated local attackers to bypass privilege checks and gain full administrative access to affected devices. An attacker with low-privileged credentials can exploit this misconfiguration to execute unauthorized administrative actions without proper authorization validation. No patch is currently available.
Insufficient CLI argument validation in Cisco IOS XR Software enables authenticated local attackers to achieve root-level code execution through crafted commands. An attacker with low-privileged account access can exploit this vulnerability to bypass privilege restrictions and execute arbitrary commands on the affected device's underlying operating system. No patch is currently available for this high-severity vulnerability.
Domain spoofing in Focus for iOS versions prior to 148.2 allows remote attackers to display malicious content under trusted domain names through navigation stalling and iframe redirection techniques, without requiring user interaction beyond the initial page load. An attacker can leverage this to conduct phishing attacks or distribute misleading content by presenting spoofed trusted domains in the browser UI. No patch is currently available for this vulnerability.
Acronis Cyber Protect and Cloud Agent on macOS before specific builds contain an insecure Unix socket permissions vulnerability that allows local authenticated users to escalate privileges and gain complete system control. An attacker with local access can exploit this misconfiguration to read sensitive data, modify system files, and execute arbitrary commands with elevated rights. No patch is currently available for this HIGH severity vulnerability.
Remote denial-of-service in RustDesk Client through 1.4.5 allows network-positioned attackers to disrupt the remote-access agent by manipulating heartbeat synchronization traffic, abusing weak authenticity checks in the hbbs_http/sync.rs heartbeat loop to trigger the stop-service handler. Publicly available exploit code exists, but EPSS is very low (0.02%, 5th percentile) and there is no public exploit identified at time of analysis being tracked as actively exploited (not in CISA KEV).
Security vulnerability in RustDesk remote desktop client/server. One of 6+ critical CVEs affecting the open-source remote access platform.
RustDesk Server Pro through version 1.7.5 transmits sensitive address book credentials in cleartext over the network heartbeat synchronization API, enabling attackers to intercept and obtain authentication credentials without authentication. The vulnerability affects Windows, macOS, and Linux deployments where the address book sync functionality is enabled. No patch is currently available.
RustDesk Client through version 1.4.5 transmits sensitive preset address book credentials in cleartext during heartbeat synchronization, enabling network eavesdropping attacks across Windows, macOS, Linux, iOS, and Android platforms. An attacker positioned to intercept network traffic can capture authentication credentials by sniffing the unencrypted JSON payload. No patch is currently available for this high-severity vulnerability (CVSS 8.7).
Security vulnerability in RustDesk remote desktop client/server. One of 6+ critical CVEs affecting the open-source remote access platform.
Security vulnerability in RustDesk remote desktop client/server. One of 6+ critical CVEs affecting the open-source remote access platform.
Configuration tampering in RustDesk Client through 1.4.5 allows a network-positioned attacker to manipulate Application API messages exchanged between the client and its rendezvous/sync server, altering client strategy and configuration options. The flaw spans every supported platform (Windows, macOS, Linux, iOS, Android, WebClient) and stems from insecure handling in the Strategy merge loop and Config::set_options(), giving an MitM attacker the ability to silently rewrite client behavior. No public exploit identified at time of analysis, and EPSS exploitation probability is very low at 0.05% (16th percentile).
Password brute-forcing weakness in RustDesk Server Pro through 1.7.5 and RustDesk Server (OSS) through 1.1.15 allows remote attackers to attack the peer authentication and API login modules without triggering rate limiting, while the SHA256(SHA256(pwd+salt)+challenge) construction provides insufficient computational cost to resist offline guessing. The flaw combines CWE-307 (missing throttling of authentication attempts) with weak password hashing on Windows, macOS, and Linux deployments, and no public exploit has been identified at time of analysis.
Authentication bypass in RustDesk Client through 1.4.5 across Windows, macOS, Linux, iOS, and Android allows remote attackers to replay captured session IDs and login proofs to impersonate legitimate peers without knowing the original credentials. The flaw stems from insufficient computational effort in the hash_password() routine combined with reusable session identifiers in the login proof construction, enabling capture-replay attacks against the peer authentication module. No public exploit identified at time of analysis, and EPSS exploitation probability is very low at 0.04% (12th percentile).
RustDesk Client through version 1.4.5 on Windows, macOS, and Linux uses weak password hashing and improper object prototype handling in its password security and configuration encryption modules, allowing local authenticated attackers to extract embedded sensitive data including passwords and machine identifiers. The vulnerability affects critical cryptographic functions including symmetric_crypt() and decrypt_str_or_original(), enabling attackers with local access and valid credentials to compromise encrypted credentials and system identifiers. No patch is currently available.
Privilege escalation in RustDesk Client through version 1.4.5 on Windows, macOS, Linux, iOS, and Android allows unauthenticated remote attackers to abuse API sync and configuration management functions. The vulnerability in the rendezvous mediator and HTTP sync modules enables attackers to gain elevated privileges without user interaction. No patch is currently available for affected users.
RustDesk Server Pro through version 1.7.5 uses weak cryptographic algorithms in configuration string generation and web console export functions, enabling attackers to extract sensitive embedded data from exported configurations. This vulnerability affects Windows, macOS, and Linux deployments and requires no authentication or user interaction to exploit. No patch is currently available.
RustDesk Client through version 1.4.5 uses a broken cryptographic algorithm that allows attackers to retrieve sensitive embedded data during config import, URI scheme handling, or CLI operations across Windows, macOS, Linux, iOS, Android, and web clients. An unauthenticated remote attacker can exploit this vulnerability without user interaction to extract sensitive configuration information. No patch is currently available for this high-severity vulnerability.
Command injection in exiftool's PNG file parser on macOS allows remote attackers to execute arbitrary OS commands by manipulating the DateTimeOriginal argument in the SetMacOSTags function. Public exploit code exists for this vulnerability, and affected users should upgrade to version 13.50 or later to remediate the issue.
Address bar spoofing in Firefox before 148 allows malicious scripts to desynchronize the displayed URL from actual web content before receiving a response, enabling phishing attacks.
OpenClaw's mDNS/Bonjour discovery beacons transmit unauthenticated TXT records that iOS, macOS, and Android clients treat as authoritative for routing and TLS certificate pinning, allowing an attacker on a shared LAN to advertise a rogue service and redirect connections to attacker-controlled endpoints. An attacker can exploit this to bypass TLS pinning validation and potentially capture Gateway credentials through man-in-the-middle attacks. The vulnerability affects OpenClaw versions prior to 2026.2.14 and requires network proximity but no user interaction.
Firefox for iOS before version 147.2.1 fails to properly synchronize the address bar with page content when malicious scripts interfere with new tab loading, enabling attackers to conduct HTML spoofing attacks under trusted domains. An attacker can exploit this through a malicious webpage to deceive users into believing they are viewing legitimate content from a trusted site. This vulnerability requires user interaction to trigger but has no patch currently available.
Apple's kernel across all platforms (iOS, macOS, watchOS, visionOS, tvOS) contains a memory corruption vulnerability (CVE-2026-20700, CVSS 7.8) that allows attackers with memory write capability to execute arbitrary code at the kernel level. KEV-listed with Apple confirming reports of sophisticated in-the-wild exploitation, this represents an active zero-day targeting the Apple ecosystem at its most fundamental security boundary.
Deleted notes on affected Apple iOS and iPadOS devices remain accessible due to improper state management, allowing unauthenticated remote attackers to discover sensitive deleted content without user interaction. This information disclosure vulnerability affects iOS 26.3, iPadOS 26.3, iOS 18.7.5, and iPadOS 18.7.5, with no patch currently available for earlier versions.
A privacy issue was addressed with improved private data redaction for log entries. This issue is fixed in macOS Tahoe 26.3. [CVSS 3.3 LOW]
Sandboxed applications on Apple platforms (macOS Tahoe, Sonoma, Sequoia, iOS, and iPadOS) can bypass app state observability restrictions to access sensitive user data. A local attacker with app execution privileges could exploit this information disclosure vulnerability to observe data from other applications. Patches are available in macOS Tahoe 26.3, macOS Sonoma 14.8.4, macOS Sequoia 15.7.4, iOS 18.7.5, and iPadOS 18.7.5.
Unauthorized access to sensitive user data in iOS and iPadOS results from improper state management in authorization checks, allowing local applications to bypass access restrictions. This medium-severity vulnerability affects Apple iOS/iPadOS users running versions prior to 18.7.5 and 26.3, with no patch currently available. A malicious app with user permissions could extract confidential information without additional user interaction.
Race condition in Apple macOS/iOS symlink handling allows privilege escalation. Fixed in macOS Tahoe 26.3, macOS Sonoma 14.8.4, iOS 18.7.5.
Safari web extensions on Apple platforms can leak user tracking information due to inadequate state management controls, allowing websites to identify and monitor individual users across browsing sessions. This vulnerability affects iOS, iPadOS, macOS, and visionOS, and is resolved in version 26.3 of each platform. The low CVSS score reflects limited direct user impact, though it represents a privacy concern for Safari users.
Information disclosure in Apple's image processing across iOS, iPadOS, macOS, tvOS, and visionOS allows local attackers to extract sensitive user data by supplying a specially crafted image file. The vulnerability requires user interaction to trigger the malicious image processing and affects multiple OS versions prior to their patched releases. No patch is currently available for affected users.
iOS and iPadOS devices expose sensitive user information to attackers with physical access to locked devices due to improper data handling in the system. The vulnerability allows unauthorized viewing of confidential information without requiring authentication or user interaction. Apple patched this information disclosure flaw in iOS 26.3 and iPadOS 26.3.
Mail content filtering bypass in Apple macOS, iOS, and iPadOS allows remote content to load in message previews despite user-disabled remote content settings. An attacker can exploit this logic flaw to track user engagement or deliver malicious content that bypasses the intended privacy protection. Patches are available in macOS Sequoia 15.7.4, iOS 18.7.5, iPadOS 18.7.5, macOS Tahoe 26.3, and macOS Sonoma 14.8.4.
A logic issue was addressed with improved checks. This issue is fixed in watchOS 26.3, tvOS 26.3, macOS Tahoe 26.3, macOS Sonoma 14.8.4, macOS Sequoia 15.7.4, iOS 18.7.5 and iPadOS 18.7.5, visionOS 26.3, iOS 26.3 and iPadOS 26.3. [CVSS 3.1 LOW]
macOS path validation bypass allows local authenticated users to read sensitive user data through improper directory path parsing. The vulnerability requires local access and valid credentials, limiting the attack surface to users already on the affected system. No patch is currently available for this medium-severity issue affecting macOS Tahoe 26.3 and earlier versions.
Sandbox escape in Apple macOS, iOS, and watchOS allows local authenticated attackers to break out of application sandboxes and gain unauthorized access to system resources and other applications' data. The vulnerability stems from insufficient validation logic in sandbox enforcement mechanisms, enabling privilege escalation with high impact on confidentiality, integrity, and availability across affected devices. No patch is currently available.
Unauthorized access to sensitive user data in macOS can be achieved by local applications due to improper authorization state management affecting macOS Tahoe 26.2 and earlier. An attacker with local access and basic user privileges can exploit this flaw to read confidential information without user interaction. No patch is currently available for this vulnerability.
The issue was resolved by sanitizing logging. This issue is fixed in iOS 26.3 and iPadOS 26.3, iOS 18.7.5 and iPadOS 18.7.5. [CVSS 3.3 LOW]
macOS devices running Sequoia 15.7.3 and earlier or Tahoe 26.2 and earlier contain an authorization bypass that permits an attacker with physical access to a locked device to view sensitive user information through improper state management. This vulnerability affects all macOS users and carries a MEDIUM severity rating with no available patch at this time. The flaw requires direct device access and does not enable code execution or system modification.
iOS and iPadOS devices with physical access vulnerabilities allow attackers to bypass authorization controls and access sensitive user information on locked devices through improper state management. The flaw affects multiple iOS versions including 18.7.5 and earlier, requiring only physical access to the device with no user interaction or elevated privileges. Apple has issued patches in iOS 26.3 and iPadOS 26.3, though updates for earlier versions (iOS 18.7.5 and iPadOS 18.7.5) are also available.
Arbitrary file write vulnerability in Apple's macOS, iOS, iPadOS, and Safari resulting from improper path handling logic allows remote attackers to write files without authentication or user interaction. Affected versions include macOS Tahoe 26.3 and earlier, macOS Sonoma 14.8.4 and earlier, iOS 18.7.5 and earlier, and Safari 26.3 and earlier. No patch is currently available for this high-severity vulnerability.
Unprivileged local users on macOS can exploit a package validation bypass to escalate privileges to root through a vulnerable application. This high-severity issue affects macOS systems up to version 26.2 and requires local access with standard user privileges. A patch is not yet available, leaving affected systems exposed to privilege escalation attacks.
A logic issue was addressed with improved validation. This issue is fixed in iOS 18.7.5 and iPadOS 18.7.5, Safari 26.3, macOS Tahoe 26.3. [CVSS 3.3 LOW]
Sensitive information disclosure in Apple iOS and iPadOS results from improper state management in authorization checks, allowing an attacker with physical access to a locked device to view confidential user data. The vulnerability affects multiple iOS and iPadOS versions and currently lacks an available patch. Local privilege or device access is required, making this a risk primarily to users whose devices may be physically compromised.
A local privilege escalation vulnerability in Apple's operating systems (macOS, iOS, visionOS, and iPadOS) allows authenticated users to trigger a buffer overflow condition resulting in denial of service through application crashes. The vulnerability stems from improper memory handling and affects multiple Apple platforms including watchOS and tvOS. Currently, no patch is available, though the vendor has indicated fixes will be included in upcoming OS updates.
Improper path validation in Apple's macOS, iOS, and visionOS allows local attackers to bypass directory access restrictions and read sensitive user data through crafted file paths. An authenticated user with local access can exploit this parsing weakness without user interaction to access confidential information. No patch is currently available for this vulnerability.
Remote denial-of-service attacks against Apple's macOS, iOS, iPadOS, Safari, and visionOS result from improper memory handling that allows unauthenticated attackers to crash affected systems over the network. The vulnerability affects multiple Apple platforms and requires no user interaction or elevated privileges to exploit. Patches are available for macOS Tahoe 26.3, iOS/iPadOS 18.7.5, visionOS 26.3, and Safari 26.3.
Denial-of-service attacks targeting Apple's Bluetooth stack (macOS, iOS, visionOS, watchOS) can be triggered by attackers with network access through specially crafted packets, causing service interruption without requiring user interaction. An attacker positioned on the same network segment can exploit insufficient input validation to crash Bluetooth functionality across affected devices. No patch is currently available for this vulnerability.
Insufficient data redaction in Apple's logging mechanisms across macOS, iOS, watchOS, and tvOS allows unauthenticated attackers to view sensitive user information without user interaction. This network-accessible vulnerability affects multiple Apple platforms and products with a CVSS score of 7.5. Patches are available in watchOS 26.3, iOS 26.3, iPadOS 26.3, tvOS 26.3, and macOS Tahoe 26.3.
Malicious applications on macOS can intercept and read notifications synced from other iCloud-connected devices due to improper access controls on notification data. This local privilege escalation affects macOS versions prior to Tahoe 26.3 and requires user interaction to execute the malicious app. An attacker with local access could gain unauthorized visibility into private notifications and communications across a user's device ecosystem.
This issue was addressed with improved data protection. This issue is fixed in macOS Tahoe 26.3. [CVSS 5.5 MEDIUM]
A logging issue was addressed with improved data redaction. This issue is fixed in macOS Tahoe 26.3. [CVSS 3.3 LOW]
Information disclosure on locked iOS and iPadOS devices stems from improper UI state management, allowing an attacker with physical device access to view sensitive user data. The vulnerability affects multiple Apple mobile OS versions and currently lacks a public patch, though fixes are available in iOS 26.3, iPadOS 26.3, iOS 18.7.5, and iPadOS 18.7.5.
Memory handling flaws in Apple's macOS, iOS, iPadOS, and Safari allow remote attackers to crash affected processes by serving specially crafted web content, requiring only user interaction to trigger the denial of service. The vulnerability affects multiple Apple platforms and products across recent versions, with fixes available in macOS Tahoe 26.3, iOS 18.7.5, iPadOS 18.7.5, and Safari 26.3. No patches are currently available for all affected versions.
An input validation issue was addressed. This issue is fixed in iOS 26.3 and iPadOS 26.3. [CVSS 2.4 LOW]
Installed application enumeration in Apple operating systems (macOS, iOS, iPadOS, tvOS, visionOS, watchOS) allows local applications to discover what other apps a user has installed through insufficient privacy controls. An attacker can exploit this through a malicious app to profile a user's installed software without explicit permission. This vulnerability affects multiple Apple platforms and requires user interaction to execute a malicious application.
iPhone Mirroring in iOS and iPadOS allows an attacker with physical device access to bypass UI protections and capture screenshots containing sensitive information that should remain hidden during the mirroring session. The vulnerability stems from insufficient state management in the user interface, enabling unauthorized viewing of private data on the iPhone while it is being mirrored to a Mac. No patch is currently available for this medium-severity issue.
A logic issue was addressed with improved checks. This issue is fixed in iOS 26.3 and iPadOS 26.3. [CVSS 5.5 MEDIUM]
Denial of service in Apple Safari, iOS, iPadOS, and macOS results from improper memory handling when processing maliciously crafted web content, causing unexpected process crashes. An unauthenticated remote attacker can trigger this vulnerability through a specially crafted webpage, affecting users who view the malicious content. No patch is currently available for this vulnerability.
Denial of service affecting Apple's macOS, iOS, iPadOS, watchOS, tvOS, and visionOS results from a memory handling flaw that crashes processes when parsing malicious web content. An unauthenticated remote attacker can trigger unexpected application termination through crafted web pages, requiring only user interaction to visit a malicious site. A patch is not currently available for this medium-severity vulnerability.
Memory disclosure in Apple's image processing across macOS, iOS, iPadOS, tvOS, and visionOS allows local attackers with user interaction to leak sensitive process memory by submitting a specially crafted image file. The vulnerability requires no elevated privileges and affects multiple Apple operating system versions, with fixes available in watchOS 26.3, tvOS 26.3, macOS Tahoe 26.3, and corresponding iOS/iPadOS updates. An attacker could exploit this to extract confidential data from running processes on the targeted device.
macOS systems running versions prior to Tahoe 26.3 contain an improper permissions restriction that allows local applications to read sensitive user data without authorization. A threat actor with local access could exploit this vulnerability to exfiltrate protected information. A patch is currently unavailable for affected systems.
Improper temporary file handling in macOS allows local applications to read sensitive user data without user interaction. An attacker with local access and app execution privileges can bypass privacy controls to access confidential information. This vulnerability affects macOS Tahoe 26.3 and earlier, with no patch currently available.
Sandbox escape vulnerability in Apple's macOS, iOS, tvOS, and related platforms (CVE-2026-20628) permits malicious applications to break out of their sandbox restrictions through a permissions bypass. A local attacker with user interaction can achieve high-impact confidentiality and integrity violations by exploiting this weakness. Patches are available across multiple OS versions including macOS Tahoe 26.3, iOS 18.7.5, tvOS 26.3, and others.