Skip to main content

Apple

8071 CVEs vendor

Monthly

CVE-2026-20627 MEDIUM This Month

Insufficient validation of environment variables in Apple's macOS, iOS, iPadOS, and visionOS allows local applications to read sensitive user data without user interaction. An attacker with the ability to run code on the affected device could exploit this to access confidential information through improperly sanitized environment variable handling. A patch is not currently available for this medium-severity vulnerability.

Apple Information Disclosure
NVD
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-20626 HIGH This Week

Privilege escalation vulnerability in Apple's macOS, iOS, iPadOS, and visionOS allows a malicious application to obtain root-level access through insufficient authorization checks. Local attackers with the ability to install or execute an app can exploit this to gain complete system control. No patch is currently available for this high-severity vulnerability affecting multiple Apple platforms.

Apple Authentication Bypass
NVD
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-20625 MEDIUM This Month

Improper path validation in macOS and visionOS allows local attackers with user interaction to read sensitive user data through directory path manipulation. The vulnerability affects macOS Sequoia 15.7.3 and earlier, macOS Sonoma 14.8.3 and earlier, macOS Tahoe 26.2 and earlier, and visionOS 26.2 and earlier. No patch is currently available.

Apple Path Traversal
NVD
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-20624 MEDIUM This Month

Improper input validation in macOS Sequoia, Tahoe, and Sonoma allows local applications to access sensitive user data through an injection attack that requires user interaction. An attacker with a malicious app could exploit this vulnerability to read confidential information on affected systems. No patch is currently available for this medium-severity issue.

Apple Authentication Bypass
NVD
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-20623 MEDIUM This Month

macOS applications can bypass permission restrictions to access sensitive user data due to a permissions validation flaw affecting macOS versions prior to Tahoe 26.3. An attacker would need local access and user interaction to exploit this vulnerability, resulting in unauthorized disclosure of protected information without affecting system integrity or availability. This issue has been patched in macOS Tahoe 26.3.

Apple macOS
NVD
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-20621 MEDIUM This Month

Improper memory handling in Apple operating systems (macOS, iOS, iPadOS, visionOS) allows local attackers with user-level privileges to trigger kernel memory corruption or unexpected system crashes without user interaction. The vulnerability affects multiple macOS versions (Tahoe 26.3, Sonoma 14.8.4, Sequoia 15.7.4) and iOS/iPadOS 18.7.5 and later. No patch is currently available for this medium-severity flaw.

Apple Buffer Overflow
NVD
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-20620 HIGH This Week

Local attackers can exploit an out-of-bounds read vulnerability in macOS and Linux systems to crash the kernel or leak sensitive kernel memory, affecting macOS Sequoia 15.7.3 and earlier, macOS Tahoe 26.2 and earlier, and macOS Sonoma 14.8.3 and earlier. The vulnerability requires local access but no special privileges or user interaction to trigger. No patch is currently available for this HIGH severity issue.

Apple Buffer Overflow Information Disclosure
NVD
CVSS 3.1
7.7
EPSS
0.0%
CVE-2026-20619 MEDIUM This Month

macOS applications can access sensitive user data through insufficient log data redaction in Sequoia 15.7.3 and earlier, and Tahoe 26.2 and earlier. A local attacker with user interaction can exploit this information disclosure vulnerability to read confidential information that should be protected. No patch is currently available for this vulnerability.

Apple macOS
NVD
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-20618 MEDIUM This Month

macOS Tahoe versions prior to 26.3 contain an improper temporary file handling vulnerability that allows local authenticated applications to read sensitive user data. The vulnerability requires local access and valid user privileges but poses no risk to system integrity or availability. No patch is currently available for affected systems.

Apple macOS
NVD
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-20617 HIGH This Week

Unprivileged local users can exploit a race condition in Apple's operating systems (macOS, iOS, iPadOS, tvOS, and visionOS) to escalate privileges to root through improper state handling during concurrent operations. This vulnerability affects multiple OS versions and requires local access with low privileges to trigger, making it exploitable by malicious applications or local attackers. No patch is currently available for this vulnerability.

Apple Race Condition Information Disclosure
NVD
CVSS 3.1
7.0
EPSS
0.0%
CVE-2026-20616 HIGH This Week

Memory corruption in Apple's USD file processing across iPhone OS, iPadOS, and visionOS enables attackers to crash applications through crafted malicious files, with high severity impact on confidentiality, integrity, and availability. The vulnerability requires user interaction to trigger (opening a malicious USD file) but needs no special privileges, affecting a large user base across multiple Apple platforms. No patch is currently available for this out-of-bounds write vulnerability.

Apple Memory Corruption Buffer Overflow
NVD VulDB
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-20615 HIGH This Week

Local privilege escalation in Apple macOS, iOS, and iPadOS through improper path validation allows authenticated attackers to gain root privileges on affected devices. The vulnerability requires local access and user interaction is not required, making it exploitable by malicious applications already present on the system. No patch is currently available for this high-severity flaw affecting multiple Apple operating systems.

Apple Path Traversal
NVD
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-20614 HIGH This Week

Improper path validation in macOS (Sequoia 15.7.3 and earlier, Tahoe 26.2 and earlier, Sonoma 14.8.3 and earlier) permits local authenticated users to escalate privileges to root through a malicious application. This path traversal vulnerability (CWE-22) has a CVSS score of 7.8 and currently lacks a publicly available patch.

Apple Path Traversal
NVD
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-20612 MEDIUM This Month

Unauthorized data access in macOS Sequoia, Tahoe, and Sonoma allows locally-installed applications to read sensitive user information due to insufficient privacy validation checks. An attacker with the ability to install or control an application on an affected system can exploit this to access confidential data without user consent. A patch is currently unavailable for this medium-severity vulnerability.

Apple Information Disclosure
NVD
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-20611 HIGH This Week

Memory corruption in Apple's media processing across iOS, macOS, watchOS, tvOS, and visionOS allows local attackers to crash applications or corrupt process memory by supplying specially crafted media files. An attacker with local access and user interaction can trigger out-of-bounds memory access during media file parsing, potentially leading to arbitrary code execution or denial of service. No patch is currently available for this vulnerability.

Apple Buffer Overflow Information Disclosure
NVD VulDB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-20610 HIGH This Week

Improper symlink handling in macOS Tahoe versions prior to 26.3 allows local authenticated users to escalate privileges to root. An attacker with local access can exploit this vulnerability to gain complete system control. No patch is currently available.

Apple macOS
NVD
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-20609 MEDIUM This Month

Memory handling vulnerabilities across Apple's macOS, iOS, and iPadOS platforms allow local attackers to trigger denial-of-service conditions or leak sensitive memory contents by processing specially crafted files. The vulnerability requires user interaction and local access, affecting multiple OS versions with patches available across the Apple ecosystem. CVSS 4.4 (Medium) severity reflects the limited attack surface and lack of remote exploitability.

Apple Buffer Overflow Information Disclosure
NVD
CVSS 3.1
4.4
EPSS
0.0%
CVE-2026-20608 MEDIUM PATCH This Month

Denial of service in Apple macOS, iOS, and iPadOS results from improper state management when processing malicious web content, causing unexpected process crashes. Local attackers with user interaction can trigger this vulnerability to disrupt system availability. No patch is currently available.

Apple Denial Of Service Ipados Iphone Os Visionos
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-20606 HIGH This Week

Applications on Apple macOS and iOS platforms can circumvent user privacy preferences through a code execution vulnerability affecting multiple OS versions including Tahoe 26.3, Sonoma 14.8.4, Sequoia 15.7.4, and iOS 18.7.5. A local attacker with user interaction can exploit this to access sensitive user data or modify system settings protected by privacy controls. The vulnerability requires patching through official OS updates, as no workaround is currently available.

Apple Information Disclosure
NVD
CVSS 3.1
7.1
EPSS
0.0%
CVE-2026-20605 MEDIUM This Month

System process denial of service affecting Apple macOS, iOS, and iPadOS through improper memory handling allows local attackers with physical access to crash critical system processes. The vulnerability impacts multiple recent OS versions including macOS Sequoia 15.7.4, iOS 18.7.5, iPadOS 18.7.5, and newer releases, with patches available for affected users. This could enable attackers to disrupt system stability and availability on vulnerable Apple devices.

Apple Buffer Overflow
NVD
CVSS 3.1
4.6
EPSS
0.0%
CVE-2026-20603 MEDIUM This Month

Root-privileged applications on macOS can bypass information redaction mechanisms to access sensitive user data due to inadequate access controls. This affects macOS Tahoe 26.3 and earlier versions, allowing a malicious or compromised privileged app to read private information that should be protected. No patch is currently available for this vulnerability.

Apple macOS
NVD
CVSS 3.1
4.4
EPSS
0.0%
CVE-2026-20602 MEDIUM This Month

macOS cache handling vulnerability CVE-2026-20602 allows local users with standard privileges to trigger a denial-of-service condition on affected systems running macOS Sonoma 14.8.4 and earlier, macOS Sequoia 15.7.4 and earlier, or macOS Tahoe 26.3 and earlier. No patch is currently available for this issue.

Apple Denial Of Service
NVD
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-20601 LOW Monitor

A permissions issue was addressed with additional restrictions. This issue is fixed in macOS Tahoe 26.3. [CVSS 3.3 LOW]

Apple macOS
NVD
CVSS 3.1
3.3
EPSS
0.0%
CVE-2025-46310 MEDIUM This Month

This issue was addressed through improved state management. This issue is fixed in macOS Sequoia 15.7.4, macOS Sonoma 14.8.4. [CVSS 6.0 MEDIUM]

Apple Privilege Escalation
NVD VulDB
CVSS 3.1
6.0
EPSS
0.0%
CVE-2025-46305 MEDIUM This Month

The issue was addressed with improved bounds checks. This issue is fixed in macOS Sequoia 15.7.4, iOS 18.7.5 and iPadOS 18.7.5, macOS Sonoma 14.8.4. [CVSS 5.7 MEDIUM]

Apple Buffer Overflow
NVD
CVSS 3.1
5.7
EPSS
0.0%
CVE-2025-46304 MEDIUM This Month

The issue was addressed with improved bounds checks. This issue is fixed in macOS Sequoia 15.7.4, iOS 18.7.5 and iPadOS 18.7.5, macOS Sonoma 14.8.4. [CVSS 5.7 MEDIUM]

Apple Denial Of Service
NVD
CVSS 3.1
5.7
EPSS
0.0%
CVE-2025-46303 MEDIUM This Month

The issue was addressed with improved bounds checks. This issue is fixed in macOS Sequoia 15.7.4, iOS 18.7.5 and iPadOS 18.7.5, macOS Sonoma 14.8.4. [CVSS 5.7 MEDIUM]

Apple Buffer Overflow
NVD
CVSS 3.1
5.7
EPSS
0.0%
CVE-2025-46302 MEDIUM This Month

The issue was addressed with improved bounds checks. This issue is fixed in macOS Sequoia 15.7.4, iOS 18.7.5 and iPadOS 18.7.5, macOS Sonoma 14.8.4. [CVSS 5.7 MEDIUM]

Apple Buffer Overflow
NVD
CVSS 3.1
5.7
EPSS
0.0%
CVE-2025-46301 MEDIUM This Month

The issue was addressed with improved bounds checks. This issue is fixed in macOS Sequoia 15.7.4, iOS 18.7.5 and iPadOS 18.7.5, macOS Sonoma 14.8.4. [CVSS 5.7 MEDIUM]

Apple Buffer Overflow
NVD
CVSS 3.1
5.7
EPSS
0.0%
CVE-2025-46300 MEDIUM This Month

The issue was addressed with improved bounds checks. This issue is fixed in macOS Sequoia 15.7.4, iOS 18.7.5 and iPadOS 18.7.5, macOS Sonoma 14.8.4. [CVSS 5.7 MEDIUM]

Apple Buffer Overflow
NVD
CVSS 3.1
5.7
EPSS
0.0%
CVE-2025-46290 HIGH This Week

A logic issue was addressed with improved checks. This issue is fixed in macOS Sequoia 15.7.4, macOS Sonoma 14.8.4. [CVSS 7.5 HIGH]

Apple Information Disclosure
NVD VulDB
CVSS 3.1
7.5
EPSS
0.2%
CVE-2025-43537 MEDIUM This Month

A path handling issue was addressed with improved validation. This issue is fixed in iOS 18.7.5 and iPadOS 18.7.5. [CVSS 5.5 MEDIUM]

Apple Path Traversal
NVD
CVSS 3.1
5.5
EPSS
0.0%
CVE-2025-43417 MEDIUM This Month

A path handling issue was addressed with improved logic. This issue is fixed in macOS Sonoma 14.8.4. [CVSS 5.5 MEDIUM]

Apple Path Traversal Information Disclosure
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2025-43403 MEDIUM This Month

An authorization issue was addressed with improved state management. This issue is fixed in macOS Sequoia 15.7.4, macOS Sonoma 14.8.4. [CVSS 5.5 MEDIUM]

Apple Authentication Bypass
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-24051 Go HIGH PATCH This Week

Arbitrary code execution in OpenTelemetry Go SDK versions 1.20.0 through 1.39.0 on macOS results from insecure PATH resolution when executing the ioreg system command during resource detection. A local attacker with the ability to modify the PATH environment variable can hijack the command search path and execute arbitrary code with the privileges of the affected application. The vulnerability is resolved in version 1.40.0 and later.

Opentelemetry Go Apple RCE
NVD GitHub
CVSS 3.1
7.0
EPSS
0.0%
CVE-2026-24070 HIGH POC This Week

Native Access on macOS allows local authenticated attackers to inject malicious libraries into the privileged XPC helper process due to overly permissive code signing entitlements, enabling arbitrary code execution with system-level privileges. The vulnerability stems from the application being signed with dyld environment variable and library validation bypass entitlements while communicating with a trusted helper that validates only the signing certificate. Public exploit code exists, and no patch is currently available.

Privilege Escalation Apple
NVD
CVSS 3.1
8.8
EPSS
0.0%
CVE-2025-69604 HIGH This Week

An issue in Shirt Pocket's SuperDuper! 3.11 and earlier allow a local attacker to modify the default task template to install an arbitrary package that can run shell scripts with root privileges and Full Disk Access, thus bypassing macOS privacy controls. [CVSS 7.8 HIGH]

Privilege Escalation Apple Superduper
NVD
CVSS 3.1
7.8
EPSS
0.0%
CVE-2025-46316 MEDIUM This Month

An out-of-bounds read was addressed with improved input validation. This issue is fixed in iOS 26.1 and iPadOS 26.1, Pages 15.1, macOS Tahoe 26.1. [CVSS 4.3 MEDIUM]

Apple Buffer Overflow Information Disclosure
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2025-46306 MEDIUM This Month

The issue was addressed with improved bounds checks. This issue is fixed in macOS Tahoe 26, Keynote 15.1, iOS 26 and iPadOS 26. [CVSS 5.5 MEDIUM]

Apple Information Disclosure Buffer Overflow macOS iOS
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-23950 npm MEDIUM POC PATCH This Month

Symlink poisoning via race condition in node-tar up to version 7.5.3 allows attackers to exploit Unicode normalization on case-insensitive filesystems like macOS APFS, where the path reservation system fails to serialize operations on colliding paths. Public exploit code exists for this vulnerability, enabling concurrent processing that bypasses internal safeguards. Node.js users and applications depending on vulnerable tar versions should update immediately, as attackers can leverage this to manipulate file operations during archive extraction.

Node.js Tar Apple RCE
NVD GitHub VulDB
CVSS 3.1
5.9
EPSS
0.0%
CVE-2025-43508 MEDIUM This Month

Macos versions up to 26.0 is affected by insertion of sensitive information into log file (CVSS 5.5).

Apple macOS
NVD
CVSS 3.1
5.5
EPSS
0.0%
CVE-2025-31186 LOW Monitor

A permissions issue was addressed with additional restrictions. This issue is fixed in Xcode 16.3. [CVSS 3.3 LOW]

Apple Authentication Bypass
NVD
CVSS 3.1
3.3
EPSS
0.0%
CVE-2025-24090 LOW Monitor

A permissions issue was addressed with additional restrictions. This issue is fixed in iOS 18.3 and iPadOS 18.3. [CVSS 3.3 LOW]

Apple iOS
NVD
CVSS 3.1
3.3
EPSS
0.0%
CVE-2025-24089 MEDIUM This Month

A permissions issue was addressed with additional restrictions. This issue is fixed in iOS 18.3 and iPadOS 18.3. [CVSS 5.3 MEDIUM]

Apple iOS Iphone Os Ipados
NVD
CVSS 3.1
5.3
EPSS
0.0%
CVE-2024-54556 LOW Monitor

This issue was addressed through improved state management. This issue is fixed in iOS 18.1 and iPadOS 18.1. [CVSS 2.4 LOW]

Apple iOS
NVD
CVSS 3.1
2.4
EPSS
0.0%
CVE-2024-44238 HIGH This Week

The issue was addressed with improved bounds checks. This issue is fixed in iOS 18.1 and iPadOS 18.1. [CVSS 7.8 HIGH]

Apple Buffer Overflow
NVD
CVSS 3.1
7.8
EPSS
0.0%
CVE-2024-44210 LOW Monitor

This issue was addressed with improved permissions checking. This issue is fixed in macOS Sequoia 15.1. [CVSS 3.3 LOW]

Apple macOS
NVD
CVSS 3.1
3.3
EPSS
0.0%
CVE-2025-46299 MEDIUM PATCH This Month

A memory initialization issue was addressed with improved memory handling. This issue is fixed in tvOS 26.2, Safari 26.2, watchOS 26.2, visionOS 26.2, iOS 26.2 and iPadOS 26.2, macOS Tahoe 26.2. [CVSS 4.3 MEDIUM]

Apple Authentication Bypass Red Hat Suse
NVD VulDB
CVSS 3.1
4.3
EPSS
0.0%
CVE-2025-46298 MEDIUM This Month

The issue was addressed with improved memory handling. This issue is fixed in tvOS 26.2, Safari 26.2, watchOS 26.2, visionOS 26.2, iOS 26.2 and iPadOS 26.2, macOS Tahoe 26.2. [CVSS 6.5 MEDIUM]

Apple Buffer Overflow
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2025-46297 MEDIUM This Month

A permissions issue was addressed with additional restrictions. This issue is fixed in macOS Tahoe 26.2. [CVSS 5.5 MEDIUM]

Apple macOS
NVD
CVSS 3.1
5.5
EPSS
0.0%
CVE-2025-46286 MEDIUM This Month

A logic issue was addressed with improved validation. This issue is fixed in iOS 26.2 and iPadOS 26.2. [CVSS 4.3 MEDIUM]

Apple iOS Ipados Iphone Os
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2025-14979 HIGH This Week

AirVPN Eddie on MacOS contains an insecure XPC service that allows local, unprivileged users to escalate their privileges to root.This issue affects Eddie: 2.24.6.

Privilege Escalation Apple
NVD GitHub
CVSS 4.0
8.5
EPSS
0.0%
CVE-2025-15246 LOW Monitor

A vulnerability was determined in aizuda snail-job up to 1.7.0 on macOS. Affected by this vulnerability is the function FurySerializer.deserialize of the component API. This manipulation of the argument argsStr causes deserialization. Remote exploitation of the attack is possible. The exploit has been publicly disclosed and may be utilized.

Apple Deserialization
NVD VulDB
CVSS 4.0
2.1
EPSS
0.1%
CVE-2025-14744 MEDIUM This Month

Unicode right-to-left override (RTLO) characters in malicious websites can spoof filenames displayed in Firefox for iOS downloads UI, potentially tricking users into saving files with misleading extensions and types. Affects Firefox for iOS versions prior to 144.0; requires user interaction to download a file. The vulnerability has low real-world exploitation probability (EPSS 0.04%) despite the moderate CVSS score, as it relies on social engineering and user inattention rather than automatic code execution.

Mozilla Information Disclosure Apple
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2025-46292 MEDIUM This Month

Local authenticated applications on iOS and iPadOS can access user-sensitive data due to insufficient entitlement checks, affecting iOS 18.7.2 and earlier and iPadOS 18.7.2 and earlier (as well as iOS 26.1 and iPadOS 26.1 and earlier). An attacker with app installation capability can exploit this vulnerability to bypass privacy controls and exfiltrate protected user information. No public exploit identified at time of analysis, though the 5.5 CVSS score and information disclosure classification indicate moderate real-world risk in targeted attack scenarios.

Apple iOS Information Disclosure Ipados Iphone Os
NVD
CVSS 3.1
5.5
EPSS
0.0%
CVE-2025-46288 MEDIUM This Month

Local privilege escalation in Apple operating systems (iOS, iPadOS, macOS Tahoe, visionOS, watchOS) allows authenticated applications to bypass payment token access restrictions and obtain sensitive payment credentials. The vulnerability affects all versions prior to the 26.2 release across affected platforms. CVSS 5.5 with low real-world exploitation risk (EPSS 0.01%), no public exploit identified, not listed in CISA KEV.

Apple iOS Information Disclosure Privilege Escalation Ipados +3
NVD
CVSS 3.1
5.5
EPSS
0.0%
CVE-2025-46283 MEDIUM This Month

A logic validation flaw in macOS Sonoma and Tahoe allows local authenticated apps to access sensitive user data through improved validation mechanisms that were previously insufficient. The vulnerability affects macOS Sonoma versions prior to 14.8.4 and macOS Tahoe prior to 26.2, requiring local access and valid user privileges (PR:L) to exploit. With an EPSS score of 0.02% and no public exploit code identified, the real-world exploitation probability remains minimal despite the CVSS 5.5 rating, though the high confidentiality impact (C:H) warrants timely patching for systems handling sensitive information.

Apple macOS Information Disclosure
NVD
CVSS 3.1
5.5
EPSS
0.0%
CVE-2025-46282 MEDIUM This Month

Safari and macOS allow local authenticated applications to access sensitive user data through improper permission enforcement. The vulnerability affects Safari versions prior to 26.2 and macOS versions prior to Tahoe 26.2, exploitable by apps running with user-level privileges that can bypass authorization checks to read protected user information. Apple has released patched versions with additional permission validation; EPSS data indicates minimal real-world exploitation likelihood despite the authenticated local attack vector.

Apple Safari macOS Information Disclosure
NVD
CVSS 3.1
5.5
EPSS
0.0%
CVE-2025-46279 LOW Monitor

Installed app enumeration via permissions bypass in Apple operating systems allows a locally authenticated app to discover what other applications a user has installed through insufficient access controls. Affects iOS 18.7.2 and earlier, iPadOS 18.7.2 and earlier, macOS Tahoe 26.1 and earlier, tvOS 26.1 and earlier, visionOS 26.1 and earlier, and watchOS 26.1 and earlier. The vulnerability has a low CVSS score (3.3) with extremely low exploitation probability (EPSS 0.02%) and no public exploit identified at time of analysis.

Apple iOS Information Disclosure Ipados Iphone Os +3
NVD
CVSS 3.1
3.3
EPSS
0.0%
CVE-2025-46277 LOW Monitor

Local apps on Apple devices can access a user's Safari browsing history due to insufficient data redaction in system logging, affecting iOS, iPadOS, macOS Tahoe, and watchOS prior to version 26.2. An attacker with local app execution privileges can extract sensitive Safari history from system logs without user interaction. This vulnerability carries a 3.3 CVSS score with minimal real-world exploitation probability (EPSS 0.01%) and no known public exploits.

Apple iOS macOS Information Disclosure Ipados +2
NVD
CVSS 3.1
3.3
EPSS
0.0%
CVE-2025-43536 MEDIUM PATCH This Month

Use-after-free memory corruption in Apple's WebKit rendering engine allows remote attackers to crash Safari and iOS/iPadOS applications by processing maliciously crafted web content, requiring only user interaction (page visit) and no authentication. The vulnerability affects Safari 26.2, iOS 18.7.3 and iOS 26.2, iPadOS 18.7.3 and iPadOS 26.2, and macOS Tahoe 26.2 and earlier versions. With an EPSS score of 0.06% and no public exploit confirmed, this represents a low real-world exploitation priority despite the moderate CVSS 4.3 severity rating, with impact limited to denial of service through process termination.

Apple Safari iOS macOS Use After Free +5
NVD
CVSS 3.1
4.3
EPSS
0.1%
CVE-2025-43533 MEDIUM This Month

Memory corruption vulnerability in Apple's HID (Human Interface Device) input handling subsystem affecting iOS, iPadOS, macOS, watchOS, tvOS, and visionOS. A malicious HID device can trigger unexpected process crashes through improved input validation failures, resulting in denial of service. The vulnerability has a CVSS score of 5.7 (medium severity) with adjacent network attack vector and requires user interaction; no evidence of active exploitation or public POC is indicated in available intelligence.

Apple Buffer Overflow
NVD VulDB
CVSS 3.1
5.7
EPSS
0.0%
CVE-2025-43531 LOW Monitor

Safari and Apple operating systems contain a race condition that crashes the rendering process when processing maliciously crafted web content, affecting Safari 26.2 and earlier, iOS 18.7.3 and earlier, iPadOS 18.7.3 and earlier, macOS Tahoe 26.2 and earlier, tvOS 26.2 and earlier, visionOS 26.2 and earlier, and watchOS 26.2 and earlier. The vulnerability requires user interaction (clicking a malicious link or visiting a hostile website) and has high attack complexity, resulting in denial of service through process crash rather than data compromise. No public exploit code has been identified, EPSS exploitation probability is very low at 0.12%, and Apple has released patched versions across all affected platforms.

Apple Safari iOS macOS Race Condition +6
NVD
CVSS 3.1
3.1
EPSS
0.1%
CVE-2025-43529 HIGH KEV PATCH THREAT Act Now

WebKit arbitrary code execution via use-after-free memory corruption affects Safari 26.2, iOS/iPadOS 18.7.3 through 26.2, macOS Tahoe 26.2, tvOS 26.2, visionOS 26.2, and watchOS 26.2, allowing remote attackers to execute arbitrary code by convincing users to visit malicious websites. This vulnerability is confirmed actively exploited (CISA KEV) in extremely sophisticated targeted attacks against specific individuals on iOS versions prior to iOS 26, per Apple's security bulletin. EPSS score of 0.12% (32nd percentile) significantly understates real-world risk given confirmed exploitation. Related vulnerability CVE-2025-14174 was issued for the same exploitation campaign, suggesting a complex attack chain targeting Apple ecosystem users.

Apple Use After Free RCE Memory Corruption Red Hat +1
NVD
CVSS 3.1
8.8
EPSS
0.1%
CVE-2025-43526 CRITICAL Act Now

Apple Safari and macOS Lockdown Mode can be bypassed to access restricted Web APIs through maliciously crafted file URLs due to insufficient URL validation. Affects Safari 26.2 and macOS Tahoe 26.2 on systems with Lockdown Mode enabled. Remote attackers can potentially execute high-impact attacks leveraging APIs meant to be restricted in high-security configurations. EPSS score of 0.06% (18th percentile) indicates low observed exploitation probability. No public exploit identified at time of analysis. This represents a serious compromise of Apple's enhanced security feature designed to protect high-risk users from targeted attacks.

Apple Safari macOS Authentication Bypass
NVD
CVSS 3.1
9.8
EPSS
0.1%
CVE-2025-43428 CRITICAL Act Now

Unauthenticated access to Hidden Photos Album in Apple iOS, iPadOS, macOS, and visionOS allows remote attackers to view protected photos without authentication due to a configuration flaw. Fixed in iOS/iPadOS 26.2, macOS Tahoe 26.2, and visionOS 26.2. CVSS 9.8 (Critical) reflects network-based unauthenticated access, though EPSS of 0.13% (32nd percentile) suggests low observed exploitation probability. No public exploit identified at time of analysis, and not listed in CISA KEV. This represents a privacy-critical authentication bypass affecting Apple's Photos app across all major platforms.

Apple iOS Authentication Bypass Information Disclosure Ipados +2
NVD
CVSS 3.1
9.8
EPSS
0.1%
CVE-2025-46289 MEDIUM This Month

Improper file handling in macOS allows local applications to access protected user data through a logic flaw in the operating system's file access controls. The vulnerability affects macOS Sequoia, Sonoma, and Tahoe, requiring user interaction to trigger exploitation and resulting in unauthorized disclosure of sensitive information without the ability to modify or disable system access. Apple has released patched versions (macOS Sequoia 15.7.3, macOS Sonoma 14.8.3, macOS Tahoe 26.2), with no public exploit code identified at time of analysis.

Apple macOS Information Disclosure
NVD
CVSS 3.1
5.5
EPSS
0.0%
CVE-2025-46287 MEDIUM This Month

FaceTime caller ID spoofing vulnerability in Apple operating systems allows remote attackers to spoof their caller identity due to inconsistent user interface state management. Affected versions include iOS 18.7.2 and earlier, iPadOS 18.7.2 and earlier, macOS Sequoia 15.7.2 and earlier, macOS Sonoma 14.8.2 and earlier, macOS Tahoe 26.1 and earlier, visionOS 26.1 and earlier, and watchOS 26.1 and earlier. The vulnerability requires no user interaction or authentication and carries low real-world exploitation risk (EPSS 0.07%, percentile 21%), with no public exploit code or active exploitation confirmed.

Apple iOS macOS Authentication Bypass
NVD
CVSS 3.1
6.5
EPSS
0.1%
CVE-2025-46285 HIGH This Week

Local privilege escalation to root on Apple platforms via integer overflow in timestamp handling allows authenticated users with low-level access to fully compromise system integrity and confidentiality. Affects iOS, iPadOS, macOS (Sequoia, Sonoma, Tahoe), tvOS, visionOS, and watchOS prior to February 2025 security updates. Vendor-released patches available across all platforms. EPSS probability is minimal (0.02%, 4th percentile), and no public exploit identified at time of analysis, though the local attack vector with low complexity and authenticated requirement reduces remote exploitation risk but creates insider threat exposure.

Apple iOS macOS Integer Overflow Privilege Escalation
NVD
CVSS 3.1
7.8
EPSS
0.0%
CVE-2025-46276 MEDIUM This Month

Local apps can access sensitive user data through improved privacy controls in Apple operating systems across iOS, iPadOS, macOS, visionOS, and watchOS. The vulnerability requires local network access and an authenticated user session (PR:L), limiting exposure to installed applications with explicit permissions. Confirmed patches are available across all affected platforms, and exploitation probability is very low (EPSS 0.02%), indicating this is a privacy-boundary issue rather than a critical security flaw.

Apple iOS Information Disclosure
NVD
CVSS 3.1
5.5
EPSS
0.0%
CVE-2025-43542 HIGH This Week

Password field disclosure in Apple operating systems allows remote observation of credentials during FaceTime screen sharing sessions. Affects iOS/iPadOS 18.x through 18.7.2, iOS/iPadOS 26.0-26.1, macOS Sequoia through 15.7.2, macOS Tahoe through 26.1, and visionOS through 26.1. Attackers with network access to FaceTime sessions can view password fields that should be masked, creating credential exposure risk during remote support or collaboration scenarios. EPSS score of 0.03% (10th percentile) indicates low automated exploitation probability, and no public exploit identified at time of analysis.

Apple iOS Information Disclosure
NVD
CVSS 3.1
7.5
EPSS
0.0%
CVE-2025-43539 HIGH This Week

Memory corruption via out-of-bounds write in Apple operating systems allows remote attackers to execute arbitrary code when victims process a malicious file. The vulnerability affects macOS (Sonoma 14.x, Sequoia 15.x, Tahoe 26.x), iOS/iPadOS (18.x, 26.x), tvOS, visionOS, and watchOS 26.x. Despite a high CVSS score of 8.8, EPSS data indicates only 0.05% exploitation probability (15th percentile), and no public exploit code or active exploitation is confirmed. The flaw stems from inadequate bounds checking (CWE-787) in file processing routines, requiring user interaction but no authentication, making it a realistic phishing or malicious download target.

Apple iOS macOS Memory Corruption
NVD
CVSS 3.1
8.8
EPSS
0.0%
CVE-2025-43538 MEDIUM This Month

Local apps can access sensitive user data through inadequate log redaction in Apple's operating systems, affecting iOS 18.7.2 and earlier, iPadOS 18.7.2 and earlier, iOS 26.1 and earlier, iPadOS 26.1 and earlier, macOS Sonoma 14.8.2 and earlier, macOS Tahoe 26.1 and earlier, visionOS 26.1 and earlier, and watchOS 26.1 and earlier. The vulnerability requires local app execution with limited user privileges but no interaction, resulting in unauthorized read access to sensitive data stored in application logs. While EPSS probability is minimal (0.01%), the local attack vector and high confidentiality impact warrant patching in environments where untrusted apps may be installed.

Apple iOS Information Disclosure
NVD
CVSS 3.1
5.5
EPSS
0.0%
CVE-2025-43532 LOW Monitor

Memory corruption in Apple operating systems due to insufficient bounds checking allows local authenticated users to cause denial of service through malicious data processing, affecting iOS, iPadOS, macOS, tvOS, visionOS, and watchOS. The vulnerability requires local access and user interaction, with no public exploit identified; EPSS score of 0.02% indicates minimal real-world exploitation probability despite the assigned CVSS score of 2.8.

Apple iOS macOS Memory Corruption Denial Of Service
NVD
CVSS 3.1
2.8
EPSS
0.0%
CVE-2025-43530 MEDIUM This Month

Local apps on Apple macOS and iPadOS can access sensitive user data through inadequate information disclosure controls, requiring local execution and low-level user privileges. Affected versions include iOS 18.7.2 and earlier, iPadOS 18.7.2 and earlier, macOS Sequoia 15.7.2 and earlier, macOS Sonoma 14.8.2 and earlier, and macOS Tahoe 26.1 and earlier. Apple has released patched versions (iOS 18.7.3, iPadOS 18.7.3, macOS Sequoia 15.7.3, macOS Sonoma 14.8.3, macOS Tahoe 26.2) with improved access controls to restrict unauthorized data exposure. With an EPSS score of 0.02% (4th percentile) and no public exploit code identified at time of analysis, this represents a low real-world exploitation probability despite the moderate CVSS score.

Apple iOS Information Disclosure
NVD
CVSS 3.1
5.5
EPSS
0.0%
CVE-2025-43527 HIGH This Week

Local privilege escalation in macOS Sequoia (pre-15.7.3) and macOS Tahoe (pre-26.2) allows authenticated users with low-level privileges to gain root access via a permissions flaw. Apple addressed the issue with additional restrictions in the latest updates. EPSS score of 0.01% indicates minimal observed exploitation activity, and no public exploit identified at time of analysis.

Apple macOS Privilege Escalation
NVD
CVSS 3.1
7.8
EPSS
0.0%
CVE-2025-43523 MEDIUM This Month

Local privilege escalation in macOS allows unprivileged applications to access sensitive user data through a permissions bypass. Affects macOS Sequoia versions prior to 15.7.3 and macOS Tahoe prior to 26.2. Attack requires local system access and user interaction (UI:R). EPSS exploitation probability is very low at 0.02%, and no public exploit code or active exploitation has been reported.

Apple macOS Information Disclosure
NVD
CVSS 3.1
5.5
EPSS
0.0%
CVE-2025-43522 LOW Monitor

Intel-based Mac computers running macOS Sequoia prior to 15.7.3 or macOS Tahoe prior to 26.2 are vulnerable to a cryptographic downgrade attack that allows unprivileged local applications to bypass code-signing restrictions and access sensitive user data. The vulnerability exploits inadequate validation of signed components, enabling information disclosure through JWT or similar signed-data attacks. Active exploitation has not been confirmed, and the extremely low EPSS score (0.01%) indicates minimal real-world exploitation risk despite the local attack vector.

Apple macOS Information Disclosure
NVD
CVSS 3.1
3.3
EPSS
0.0%
CVE-2025-43521 MEDIUM This Month

Local privilege escalation on Intel-based macOS systems allows unsigned or weakly-signed applications to access sensitive user data by downgrading code-signing protections through cryptographic validation bypass. The vulnerability affects macOS Sequoia prior to 15.7.3 and macOS Tahoe prior to 26.2, requires user interaction to execute a malicious app, and has an extremely low exploitation probability (EPSS 0.01%) despite moderate CVSS severity. No active exploitation or public exploit code has been identified.

Apple macOS Information Disclosure
NVD
CVSS 3.1
5.5
EPSS
0.0%
CVE-2025-43520 MEDIUM POC KEV THREAT This Month

Apple kernel memory corruption in multiple operating systems allows a malicious application to cause unexpected system termination or write kernel memory via an out-of-bounds write flaw addressed in watchOS 26.1, iOS 18.7.2, and macOS Tahoe 26.1.

Buffer Overflow Apple Memory Corruption
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
Threat
4.1
CVE-2025-43519 MEDIUM This Month

Local privilege escalation in macOS allows authenticated applications to access sensitive user data through insufficient permission restrictions on Sequoia, Sonoma, and Tahoe versions. The vulnerability requires local access and low-privilege user context but enables high-impact confidentiality compromise without requiring user interaction or elevated privileges to trigger. A vendor-released patch is available across all affected macOS versions.

Apple macOS Information Disclosure
NVD
CVSS 3.1
5.5
EPSS
0.0%
CVE-2025-43518 LOW Monitor

Local privilege escalation in Apple's spellcheck API allows authenticated users to inappropriately access files on macOS, iOS, and related platforms through a logic flaw in access controls. Affected versions include macOS Sonoma 14.x and earlier, macOS Sequoia 15.7.2 and earlier, iOS 18.x and earlier, iPadOS 18.x and earlier, and watchOS 11.x and earlier. This vulnerability requires local access and user-level privileges but carries a low EPSS score (0.01%, percentile 3%) indicating minimal real-world exploitation likelihood at present. No public exploit code or active exploitation has been identified.

Apple iOS macOS Information Disclosure Path Traversal
NVD
CVSS 3.1
3.3
EPSS
0.0%
CVE-2025-43517 LOW Monitor

macOS logging system fails to redact protected user data from log entries, allowing local authenticated applications to access sensitive information through log files across Sequoia, Sonoma, and Tahoe versions. Apple addressed this privacy issue by improving data redaction mechanisms in patched versions (macOS Sequoia 15.7.3, Sonoma 14.8.3, Tahoe 26.2). No public exploit identified at time of analysis, with EPSS exploitation probability at 0.01% (3rd percentile), indicating minimal real-world risk despite local attack vector.

Apple macOS Information Disclosure
NVD
CVSS 3.1
3.3
EPSS
0.0%
CVE-2025-43516 LOW Monitor

Session fixation in macOS Voice Control allows authenticated local users to transcribe another user's activity on the same system, disclosing sensitive information without user interaction. The vulnerability affects macOS Sequoia, Sonoma, and Tahoe and is fixed in versions 15.7.3, 14.8.3, and 26.2 respectively. Real-world risk is minimal due to low EPSS (0.01%), requirement for local access and prior authentication, and the need for Voice Control to be explicitly enabled.

Apple macOS Information Disclosure
NVD
CVSS 3.1
3.3
EPSS
0.0%
CVE-2025-43513 MEDIUM This Month

Local arbitrary applications on macOS can read sensitive location information due to a permissions validation flaw (CWE-284), affecting macOS Sequoia, Sonoma, and Tahoe. The vulnerability requires user interaction to trigger but grants unauthorized access to location data without proper authorization checks. Apple has released patches in macOS Sequoia 15.7.3, macOS Sonoma 14.8.3, and macOS Tahoe 26.2 to remediate the issue by removing the vulnerable code. No public exploit or active exploitation has been confirmed.

Apple macOS Information Disclosure
NVD
CVSS 3.1
5.5
EPSS
0.0%
CVE-2025-43512 HIGH This Week

Local privilege escalation in Apple macOS (Sonoma 14.x, Sequoia 15.x, Tahoe 26.x) and iOS/iPadOS 18.x allows authenticated users to gain elevated system privileges through malicious applications exploiting a logic flaw in privilege checking mechanisms. Apple has released patches across all affected platforms (iOS 18.7.3, iPadOS 18.7.3, macOS Sequoia 15.7.3, Sonoma 14.8.3, Tahoe 26.2). No public exploit identified at time of analysis, with EPSS score of 0.01% (3rd percentile) indicating minimal observed exploitation activity.

Apple iOS macOS Privilege Escalation
NVD
CVSS 3.1
7.8
EPSS
0.0%
CVE-2025-43511 MEDIUM PATCH This Month

Use-after-free memory corruption in Apple WebKit allows remote attackers to crash Safari and iOS/iPadOS applications via maliciously crafted web content, resulting in denial of service. The vulnerability affects Safari 26.2, iOS 18.7.2 and 26.2, iPadOS 18.7.2 and 26.2, macOS Tahoe 26.2, visionOS 26.2, and watchOS 26.2. No public exploit code has been identified, and the vulnerability is not confirmed as actively exploited; however, the network-accessible attack vector and low complexity make it a moderate priority despite the low EPSS score.

Apple Use After Free Denial Of Service Ipados Iphone Os +1
NVD VulDB
CVSS 3.1
6.5
EPSS
0.1%
CVE-2025-43510 HIGH POC KEV THREAT Act Now

Apple kernel lock state checking flaw allows a malicious application to cause unexpected changes in memory shared between processes, potentially enabling cross-process data manipulation on iOS, macOS, and other Apple platforms.

Apple Buffer Overflow
NVD VulDB
CVSS 3.1
7.8
EPSS
0.0%
Threat
4.6
CVE-2025-43509 MEDIUM This Month

Improper data access control in macOS allows local applications to read sensitive user data without explicit user consent, exploitable through user interaction. The vulnerability affects macOS Sequoia (before 15.7.3), macOS Sonoma (before 14.8.3), and macOS Tahoe (before 26.2). No public exploit code or active exploitation has been identified; EPSS probability is extremely low at 0.01%, indicating minimal real-world attack likelihood despite the moderate CVSS score.

Apple macOS Information Disclosure
NVD
CVSS 3.1
5.5
EPSS
0.0%
CVE-2025-43494 HIGH This Week

Mail header parsing flaw in Apple operating systems allows unauthenticated remote attackers to trigger persistent denial-of-service conditions across iOS, iPadOS, macOS, visionOS, and watchOS platforms. The vulnerability affects all major Apple OS releases prior to January 2025 patches (iOS/iPadOS 18.7.2/26.1, macOS Sequoia 15.7.2/Sonoma 14.8.2/Tahoe 26.1, visionOS 26.1, watchOS 26.1). With EPSS exploitation probability at 0.19% (41st percentile) and no public exploit identified at time of analysis, real-world risk appears moderate despite the 7.5 CVSS score.

Apple iOS macOS Denial Of Service Ipados +3
NVD
CVSS 3.1
7.5
EPSS
0.2%
EPSS 0% CVSS 5.5
MEDIUM This Month

Insufficient validation of environment variables in Apple's macOS, iOS, iPadOS, and visionOS allows local applications to read sensitive user data without user interaction. An attacker with the ability to run code on the affected device could exploit this to access confidential information through improperly sanitized environment variable handling. A patch is not currently available for this medium-severity vulnerability.

Apple Information Disclosure
NVD
EPSS 0% CVSS 7.8
HIGH This Week

Privilege escalation vulnerability in Apple's macOS, iOS, iPadOS, and visionOS allows a malicious application to obtain root-level access through insufficient authorization checks. Local attackers with the ability to install or execute an app can exploit this to gain complete system control. No patch is currently available for this high-severity vulnerability affecting multiple Apple platforms.

Apple Authentication Bypass
NVD
EPSS 0% CVSS 5.5
MEDIUM This Month

Improper path validation in macOS and visionOS allows local attackers with user interaction to read sensitive user data through directory path manipulation. The vulnerability affects macOS Sequoia 15.7.3 and earlier, macOS Sonoma 14.8.3 and earlier, macOS Tahoe 26.2 and earlier, and visionOS 26.2 and earlier. No patch is currently available.

Apple Path Traversal
NVD
EPSS 0% CVSS 5.5
MEDIUM This Month

Improper input validation in macOS Sequoia, Tahoe, and Sonoma allows local applications to access sensitive user data through an injection attack that requires user interaction. An attacker with a malicious app could exploit this vulnerability to read confidential information on affected systems. No patch is currently available for this medium-severity issue.

Apple Authentication Bypass
NVD
EPSS 0% CVSS 5.5
MEDIUM This Month

macOS applications can bypass permission restrictions to access sensitive user data due to a permissions validation flaw affecting macOS versions prior to Tahoe 26.3. An attacker would need local access and user interaction to exploit this vulnerability, resulting in unauthorized disclosure of protected information without affecting system integrity or availability. This issue has been patched in macOS Tahoe 26.3.

Apple macOS
NVD
EPSS 0% CVSS 5.5
MEDIUM This Month

Improper memory handling in Apple operating systems (macOS, iOS, iPadOS, visionOS) allows local attackers with user-level privileges to trigger kernel memory corruption or unexpected system crashes without user interaction. The vulnerability affects multiple macOS versions (Tahoe 26.3, Sonoma 14.8.4, Sequoia 15.7.4) and iOS/iPadOS 18.7.5 and later. No patch is currently available for this medium-severity flaw.

Apple Buffer Overflow
NVD
EPSS 0% CVSS 7.7
HIGH This Week

Local attackers can exploit an out-of-bounds read vulnerability in macOS and Linux systems to crash the kernel or leak sensitive kernel memory, affecting macOS Sequoia 15.7.3 and earlier, macOS Tahoe 26.2 and earlier, and macOS Sonoma 14.8.3 and earlier. The vulnerability requires local access but no special privileges or user interaction to trigger. No patch is currently available for this HIGH severity issue.

Apple Buffer Overflow Information Disclosure
NVD
EPSS 0% CVSS 5.5
MEDIUM This Month

macOS applications can access sensitive user data through insufficient log data redaction in Sequoia 15.7.3 and earlier, and Tahoe 26.2 and earlier. A local attacker with user interaction can exploit this information disclosure vulnerability to read confidential information that should be protected. No patch is currently available for this vulnerability.

Apple macOS
NVD
EPSS 0% CVSS 5.5
MEDIUM This Month

macOS Tahoe versions prior to 26.3 contain an improper temporary file handling vulnerability that allows local authenticated applications to read sensitive user data. The vulnerability requires local access and valid user privileges but poses no risk to system integrity or availability. No patch is currently available for affected systems.

Apple macOS
NVD
EPSS 0% CVSS 7.0
HIGH This Week

Unprivileged local users can exploit a race condition in Apple's operating systems (macOS, iOS, iPadOS, tvOS, and visionOS) to escalate privileges to root through improper state handling during concurrent operations. This vulnerability affects multiple OS versions and requires local access with low privileges to trigger, making it exploitable by malicious applications or local attackers. No patch is currently available for this vulnerability.

Apple Race Condition Information Disclosure
NVD
EPSS 0% CVSS 8.8
HIGH This Week

Memory corruption in Apple's USD file processing across iPhone OS, iPadOS, and visionOS enables attackers to crash applications through crafted malicious files, with high severity impact on confidentiality, integrity, and availability. The vulnerability requires user interaction to trigger (opening a malicious USD file) but needs no special privileges, affecting a large user base across multiple Apple platforms. No patch is currently available for this out-of-bounds write vulnerability.

Apple Memory Corruption Buffer Overflow
NVD VulDB
EPSS 0% CVSS 7.8
HIGH This Week

Local privilege escalation in Apple macOS, iOS, and iPadOS through improper path validation allows authenticated attackers to gain root privileges on affected devices. The vulnerability requires local access and user interaction is not required, making it exploitable by malicious applications already present on the system. No patch is currently available for this high-severity flaw affecting multiple Apple operating systems.

Apple Path Traversal
NVD
EPSS 0% CVSS 7.8
HIGH This Week

Improper path validation in macOS (Sequoia 15.7.3 and earlier, Tahoe 26.2 and earlier, Sonoma 14.8.3 and earlier) permits local authenticated users to escalate privileges to root through a malicious application. This path traversal vulnerability (CWE-22) has a CVSS score of 7.8 and currently lacks a publicly available patch.

Apple Path Traversal
NVD
EPSS 0% CVSS 5.5
MEDIUM This Month

Unauthorized data access in macOS Sequoia, Tahoe, and Sonoma allows locally-installed applications to read sensitive user information due to insufficient privacy validation checks. An attacker with the ability to install or control an application on an affected system can exploit this to access confidential data without user consent. A patch is currently unavailable for this medium-severity vulnerability.

Apple Information Disclosure
NVD
EPSS 0% CVSS 7.8
HIGH This Week

Memory corruption in Apple's media processing across iOS, macOS, watchOS, tvOS, and visionOS allows local attackers to crash applications or corrupt process memory by supplying specially crafted media files. An attacker with local access and user interaction can trigger out-of-bounds memory access during media file parsing, potentially leading to arbitrary code execution or denial of service. No patch is currently available for this vulnerability.

Apple Buffer Overflow Information Disclosure
NVD VulDB
EPSS 0% CVSS 7.8
HIGH This Week

Improper symlink handling in macOS Tahoe versions prior to 26.3 allows local authenticated users to escalate privileges to root. An attacker with local access can exploit this vulnerability to gain complete system control. No patch is currently available.

Apple macOS
NVD
EPSS 0% CVSS 4.4
MEDIUM This Month

Memory handling vulnerabilities across Apple's macOS, iOS, and iPadOS platforms allow local attackers to trigger denial-of-service conditions or leak sensitive memory contents by processing specially crafted files. The vulnerability requires user interaction and local access, affecting multiple OS versions with patches available across the Apple ecosystem. CVSS 4.4 (Medium) severity reflects the limited attack surface and lack of remote exploitability.

Apple Buffer Overflow Information Disclosure
NVD
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Denial of service in Apple macOS, iOS, and iPadOS results from improper state management when processing malicious web content, causing unexpected process crashes. Local attackers with user interaction can trigger this vulnerability to disrupt system availability. No patch is currently available.

Apple Denial Of Service Ipados +2
NVD VulDB
EPSS 0% CVSS 7.1
HIGH This Week

Applications on Apple macOS and iOS platforms can circumvent user privacy preferences through a code execution vulnerability affecting multiple OS versions including Tahoe 26.3, Sonoma 14.8.4, Sequoia 15.7.4, and iOS 18.7.5. A local attacker with user interaction can exploit this to access sensitive user data or modify system settings protected by privacy controls. The vulnerability requires patching through official OS updates, as no workaround is currently available.

Apple Information Disclosure
NVD
EPSS 0% CVSS 4.6
MEDIUM This Month

System process denial of service affecting Apple macOS, iOS, and iPadOS through improper memory handling allows local attackers with physical access to crash critical system processes. The vulnerability impacts multiple recent OS versions including macOS Sequoia 15.7.4, iOS 18.7.5, iPadOS 18.7.5, and newer releases, with patches available for affected users. This could enable attackers to disrupt system stability and availability on vulnerable Apple devices.

Apple Buffer Overflow
NVD
EPSS 0% CVSS 4.4
MEDIUM This Month

Root-privileged applications on macOS can bypass information redaction mechanisms to access sensitive user data due to inadequate access controls. This affects macOS Tahoe 26.3 and earlier versions, allowing a malicious or compromised privileged app to read private information that should be protected. No patch is currently available for this vulnerability.

Apple macOS
NVD
EPSS 0% CVSS 5.5
MEDIUM This Month

macOS cache handling vulnerability CVE-2026-20602 allows local users with standard privileges to trigger a denial-of-service condition on affected systems running macOS Sonoma 14.8.4 and earlier, macOS Sequoia 15.7.4 and earlier, or macOS Tahoe 26.3 and earlier. No patch is currently available for this issue.

Apple Denial Of Service
NVD
EPSS 0% CVSS 3.3
LOW Monitor

A permissions issue was addressed with additional restrictions. This issue is fixed in macOS Tahoe 26.3. [CVSS 3.3 LOW]

Apple macOS
NVD
EPSS 0% CVSS 6.0
MEDIUM This Month

This issue was addressed through improved state management. This issue is fixed in macOS Sequoia 15.7.4, macOS Sonoma 14.8.4. [CVSS 6.0 MEDIUM]

Apple Privilege Escalation
NVD VulDB
EPSS 0% CVSS 5.7
MEDIUM This Month

The issue was addressed with improved bounds checks. This issue is fixed in macOS Sequoia 15.7.4, iOS 18.7.5 and iPadOS 18.7.5, macOS Sonoma 14.8.4. [CVSS 5.7 MEDIUM]

Apple Buffer Overflow
NVD
EPSS 0% CVSS 5.7
MEDIUM This Month

The issue was addressed with improved bounds checks. This issue is fixed in macOS Sequoia 15.7.4, iOS 18.7.5 and iPadOS 18.7.5, macOS Sonoma 14.8.4. [CVSS 5.7 MEDIUM]

Apple Denial Of Service
NVD
EPSS 0% CVSS 5.7
MEDIUM This Month

The issue was addressed with improved bounds checks. This issue is fixed in macOS Sequoia 15.7.4, iOS 18.7.5 and iPadOS 18.7.5, macOS Sonoma 14.8.4. [CVSS 5.7 MEDIUM]

Apple Buffer Overflow
NVD
EPSS 0% CVSS 5.7
MEDIUM This Month

The issue was addressed with improved bounds checks. This issue is fixed in macOS Sequoia 15.7.4, iOS 18.7.5 and iPadOS 18.7.5, macOS Sonoma 14.8.4. [CVSS 5.7 MEDIUM]

Apple Buffer Overflow
NVD
EPSS 0% CVSS 5.7
MEDIUM This Month

The issue was addressed with improved bounds checks. This issue is fixed in macOS Sequoia 15.7.4, iOS 18.7.5 and iPadOS 18.7.5, macOS Sonoma 14.8.4. [CVSS 5.7 MEDIUM]

Apple Buffer Overflow
NVD
EPSS 0% CVSS 5.7
MEDIUM This Month

The issue was addressed with improved bounds checks. This issue is fixed in macOS Sequoia 15.7.4, iOS 18.7.5 and iPadOS 18.7.5, macOS Sonoma 14.8.4. [CVSS 5.7 MEDIUM]

Apple Buffer Overflow
NVD
EPSS 0% CVSS 7.5
HIGH This Week

A logic issue was addressed with improved checks. This issue is fixed in macOS Sequoia 15.7.4, macOS Sonoma 14.8.4. [CVSS 7.5 HIGH]

Apple Information Disclosure
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM This Month

A path handling issue was addressed with improved validation. This issue is fixed in iOS 18.7.5 and iPadOS 18.7.5. [CVSS 5.5 MEDIUM]

Apple Path Traversal
NVD
EPSS 0% CVSS 5.5
MEDIUM This Month

A path handling issue was addressed with improved logic. This issue is fixed in macOS Sonoma 14.8.4. [CVSS 5.5 MEDIUM]

Apple Path Traversal Information Disclosure
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM This Month

An authorization issue was addressed with improved state management. This issue is fixed in macOS Sequoia 15.7.4, macOS Sonoma 14.8.4. [CVSS 5.5 MEDIUM]

Apple Authentication Bypass
NVD VulDB
EPSS 0% CVSS 7.0
HIGH PATCH This Week

Arbitrary code execution in OpenTelemetry Go SDK versions 1.20.0 through 1.39.0 on macOS results from insecure PATH resolution when executing the ioreg system command during resource detection. A local attacker with the ability to modify the PATH environment variable can hijack the command search path and execute arbitrary code with the privileges of the affected application. The vulnerability is resolved in version 1.40.0 and later.

Opentelemetry Go Apple RCE
NVD GitHub
EPSS 0% CVSS 8.8
HIGH POC This Week

Native Access on macOS allows local authenticated attackers to inject malicious libraries into the privileged XPC helper process due to overly permissive code signing entitlements, enabling arbitrary code execution with system-level privileges. The vulnerability stems from the application being signed with dyld environment variable and library validation bypass entitlements while communicating with a trusted helper that validates only the signing certificate. Public exploit code exists, and no patch is currently available.

Privilege Escalation Apple
NVD
EPSS 0% CVSS 7.8
HIGH This Week

An issue in Shirt Pocket's SuperDuper! 3.11 and earlier allow a local attacker to modify the default task template to install an arbitrary package that can run shell scripts with root privileges and Full Disk Access, thus bypassing macOS privacy controls. [CVSS 7.8 HIGH]

Privilege Escalation Apple Superduper
NVD
EPSS 0% CVSS 4.3
MEDIUM This Month

An out-of-bounds read was addressed with improved input validation. This issue is fixed in iOS 26.1 and iPadOS 26.1, Pages 15.1, macOS Tahoe 26.1. [CVSS 4.3 MEDIUM]

Apple Buffer Overflow Information Disclosure
NVD
EPSS 0% CVSS 5.5
MEDIUM This Month

The issue was addressed with improved bounds checks. This issue is fixed in macOS Tahoe 26, Keynote 15.1, iOS 26 and iPadOS 26. [CVSS 5.5 MEDIUM]

Apple Information Disclosure Buffer Overflow +2
NVD VulDB
EPSS 0% CVSS 5.9
MEDIUM POC PATCH This Month

Symlink poisoning via race condition in node-tar up to version 7.5.3 allows attackers to exploit Unicode normalization on case-insensitive filesystems like macOS APFS, where the path reservation system fails to serialize operations on colliding paths. Public exploit code exists for this vulnerability, enabling concurrent processing that bypasses internal safeguards. Node.js users and applications depending on vulnerable tar versions should update immediately, as attackers can leverage this to manipulate file operations during archive extraction.

Node.js Tar Apple +1
NVD GitHub VulDB
EPSS 0% CVSS 5.5
MEDIUM This Month

Macos versions up to 26.0 is affected by insertion of sensitive information into log file (CVSS 5.5).

Apple macOS
NVD
EPSS 0% CVSS 3.3
LOW Monitor

A permissions issue was addressed with additional restrictions. This issue is fixed in Xcode 16.3. [CVSS 3.3 LOW]

Apple Authentication Bypass
NVD
EPSS 0% CVSS 3.3
LOW Monitor

A permissions issue was addressed with additional restrictions. This issue is fixed in iOS 18.3 and iPadOS 18.3. [CVSS 3.3 LOW]

Apple iOS
NVD
EPSS 0% CVSS 5.3
MEDIUM This Month

A permissions issue was addressed with additional restrictions. This issue is fixed in iOS 18.3 and iPadOS 18.3. [CVSS 5.3 MEDIUM]

Apple iOS Iphone Os +1
NVD
EPSS 0% CVSS 2.4
LOW Monitor

This issue was addressed through improved state management. This issue is fixed in iOS 18.1 and iPadOS 18.1. [CVSS 2.4 LOW]

Apple iOS
NVD
EPSS 0% CVSS 7.8
HIGH This Week

The issue was addressed with improved bounds checks. This issue is fixed in iOS 18.1 and iPadOS 18.1. [CVSS 7.8 HIGH]

Apple Buffer Overflow
NVD
EPSS 0% CVSS 3.3
LOW Monitor

This issue was addressed with improved permissions checking. This issue is fixed in macOS Sequoia 15.1. [CVSS 3.3 LOW]

Apple macOS
NVD
EPSS 0% CVSS 4.3
MEDIUM PATCH This Month

A memory initialization issue was addressed with improved memory handling. This issue is fixed in tvOS 26.2, Safari 26.2, watchOS 26.2, visionOS 26.2, iOS 26.2 and iPadOS 26.2, macOS Tahoe 26.2. [CVSS 4.3 MEDIUM]

Apple Authentication Bypass Red Hat +1
NVD VulDB
EPSS 0% CVSS 6.5
MEDIUM This Month

The issue was addressed with improved memory handling. This issue is fixed in tvOS 26.2, Safari 26.2, watchOS 26.2, visionOS 26.2, iOS 26.2 and iPadOS 26.2, macOS Tahoe 26.2. [CVSS 6.5 MEDIUM]

Apple Buffer Overflow
NVD
EPSS 0% CVSS 5.5
MEDIUM This Month

A permissions issue was addressed with additional restrictions. This issue is fixed in macOS Tahoe 26.2. [CVSS 5.5 MEDIUM]

Apple macOS
NVD
EPSS 0% CVSS 4.3
MEDIUM This Month

A logic issue was addressed with improved validation. This issue is fixed in iOS 26.2 and iPadOS 26.2. [CVSS 4.3 MEDIUM]

Apple iOS Ipados +1
NVD
EPSS 0% CVSS 8.5
HIGH This Week

AirVPN Eddie on MacOS contains an insecure XPC service that allows local, unprivileged users to escalate their privileges to root.This issue affects Eddie: 2.24.6.

Privilege Escalation Apple
NVD GitHub
EPSS 0% CVSS 2.1
LOW Monitor

A vulnerability was determined in aizuda snail-job up to 1.7.0 on macOS. Affected by this vulnerability is the function FurySerializer.deserialize of the component API. This manipulation of the argument argsStr causes deserialization. Remote exploitation of the attack is possible. The exploit has been publicly disclosed and may be utilized.

Apple Deserialization
NVD VulDB
EPSS 0% CVSS 6.5
MEDIUM This Month

Unicode right-to-left override (RTLO) characters in malicious websites can spoof filenames displayed in Firefox for iOS downloads UI, potentially tricking users into saving files with misleading extensions and types. Affects Firefox for iOS versions prior to 144.0; requires user interaction to download a file. The vulnerability has low real-world exploitation probability (EPSS 0.04%) despite the moderate CVSS score, as it relies on social engineering and user inattention rather than automatic code execution.

Mozilla Information Disclosure Apple
NVD
EPSS 0% CVSS 5.5
MEDIUM This Month

Local authenticated applications on iOS and iPadOS can access user-sensitive data due to insufficient entitlement checks, affecting iOS 18.7.2 and earlier and iPadOS 18.7.2 and earlier (as well as iOS 26.1 and iPadOS 26.1 and earlier). An attacker with app installation capability can exploit this vulnerability to bypass privacy controls and exfiltrate protected user information. No public exploit identified at time of analysis, though the 5.5 CVSS score and information disclosure classification indicate moderate real-world risk in targeted attack scenarios.

Apple iOS Information Disclosure +2
NVD
EPSS 0% CVSS 5.5
MEDIUM This Month

Local privilege escalation in Apple operating systems (iOS, iPadOS, macOS Tahoe, visionOS, watchOS) allows authenticated applications to bypass payment token access restrictions and obtain sensitive payment credentials. The vulnerability affects all versions prior to the 26.2 release across affected platforms. CVSS 5.5 with low real-world exploitation risk (EPSS 0.01%), no public exploit identified, not listed in CISA KEV.

Apple iOS Information Disclosure +5
NVD
EPSS 0% CVSS 5.5
MEDIUM This Month

A logic validation flaw in macOS Sonoma and Tahoe allows local authenticated apps to access sensitive user data through improved validation mechanisms that were previously insufficient. The vulnerability affects macOS Sonoma versions prior to 14.8.4 and macOS Tahoe prior to 26.2, requiring local access and valid user privileges (PR:L) to exploit. With an EPSS score of 0.02% and no public exploit code identified, the real-world exploitation probability remains minimal despite the CVSS 5.5 rating, though the high confidentiality impact (C:H) warrants timely patching for systems handling sensitive information.

Apple macOS Information Disclosure
NVD
EPSS 0% CVSS 5.5
MEDIUM This Month

Safari and macOS allow local authenticated applications to access sensitive user data through improper permission enforcement. The vulnerability affects Safari versions prior to 26.2 and macOS versions prior to Tahoe 26.2, exploitable by apps running with user-level privileges that can bypass authorization checks to read protected user information. Apple has released patched versions with additional permission validation; EPSS data indicates minimal real-world exploitation likelihood despite the authenticated local attack vector.

Apple Safari macOS +1
NVD
EPSS 0% CVSS 3.3
LOW Monitor

Installed app enumeration via permissions bypass in Apple operating systems allows a locally authenticated app to discover what other applications a user has installed through insufficient access controls. Affects iOS 18.7.2 and earlier, iPadOS 18.7.2 and earlier, macOS Tahoe 26.1 and earlier, tvOS 26.1 and earlier, visionOS 26.1 and earlier, and watchOS 26.1 and earlier. The vulnerability has a low CVSS score (3.3) with extremely low exploitation probability (EPSS 0.02%) and no public exploit identified at time of analysis.

Apple iOS Information Disclosure +5
NVD
EPSS 0% CVSS 3.3
LOW Monitor

Local apps on Apple devices can access a user's Safari browsing history due to insufficient data redaction in system logging, affecting iOS, iPadOS, macOS Tahoe, and watchOS prior to version 26.2. An attacker with local app execution privileges can extract sensitive Safari history from system logs without user interaction. This vulnerability carries a 3.3 CVSS score with minimal real-world exploitation probability (EPSS 0.01%) and no known public exploits.

Apple iOS macOS +4
NVD
EPSS 0% CVSS 4.3
MEDIUM PATCH This Month

Use-after-free memory corruption in Apple's WebKit rendering engine allows remote attackers to crash Safari and iOS/iPadOS applications by processing maliciously crafted web content, requiring only user interaction (page visit) and no authentication. The vulnerability affects Safari 26.2, iOS 18.7.3 and iOS 26.2, iPadOS 18.7.3 and iPadOS 26.2, and macOS Tahoe 26.2 and earlier versions. With an EPSS score of 0.06% and no public exploit confirmed, this represents a low real-world exploitation priority despite the moderate CVSS 4.3 severity rating, with impact limited to denial of service through process termination.

Apple Safari iOS +7
NVD
EPSS 0% CVSS 5.7
MEDIUM This Month

Memory corruption vulnerability in Apple's HID (Human Interface Device) input handling subsystem affecting iOS, iPadOS, macOS, watchOS, tvOS, and visionOS. A malicious HID device can trigger unexpected process crashes through improved input validation failures, resulting in denial of service. The vulnerability has a CVSS score of 5.7 (medium severity) with adjacent network attack vector and requires user interaction; no evidence of active exploitation or public POC is indicated in available intelligence.

Apple Buffer Overflow
NVD VulDB
EPSS 0% CVSS 3.1
LOW Monitor

Safari and Apple operating systems contain a race condition that crashes the rendering process when processing maliciously crafted web content, affecting Safari 26.2 and earlier, iOS 18.7.3 and earlier, iPadOS 18.7.3 and earlier, macOS Tahoe 26.2 and earlier, tvOS 26.2 and earlier, visionOS 26.2 and earlier, and watchOS 26.2 and earlier. The vulnerability requires user interaction (clicking a malicious link or visiting a hostile website) and has high attack complexity, resulting in denial of service through process crash rather than data compromise. No public exploit code has been identified, EPSS exploitation probability is very low at 0.12%, and Apple has released patched versions across all affected platforms.

Apple Safari iOS +8
NVD
EPSS 0% CVSS 8.8
HIGH KEV PATCH THREAT Act Now

WebKit arbitrary code execution via use-after-free memory corruption affects Safari 26.2, iOS/iPadOS 18.7.3 through 26.2, macOS Tahoe 26.2, tvOS 26.2, visionOS 26.2, and watchOS 26.2, allowing remote attackers to execute arbitrary code by convincing users to visit malicious websites. This vulnerability is confirmed actively exploited (CISA KEV) in extremely sophisticated targeted attacks against specific individuals on iOS versions prior to iOS 26, per Apple's security bulletin. EPSS score of 0.12% (32nd percentile) significantly understates real-world risk given confirmed exploitation. Related vulnerability CVE-2025-14174 was issued for the same exploitation campaign, suggesting a complex attack chain targeting Apple ecosystem users.

Apple Use After Free RCE +3
NVD
EPSS 0% CVSS 9.8
CRITICAL Act Now

Apple Safari and macOS Lockdown Mode can be bypassed to access restricted Web APIs through maliciously crafted file URLs due to insufficient URL validation. Affects Safari 26.2 and macOS Tahoe 26.2 on systems with Lockdown Mode enabled. Remote attackers can potentially execute high-impact attacks leveraging APIs meant to be restricted in high-security configurations. EPSS score of 0.06% (18th percentile) indicates low observed exploitation probability. No public exploit identified at time of analysis. This represents a serious compromise of Apple's enhanced security feature designed to protect high-risk users from targeted attacks.

Apple Safari macOS +1
NVD
EPSS 0% CVSS 9.8
CRITICAL Act Now

Unauthenticated access to Hidden Photos Album in Apple iOS, iPadOS, macOS, and visionOS allows remote attackers to view protected photos without authentication due to a configuration flaw. Fixed in iOS/iPadOS 26.2, macOS Tahoe 26.2, and visionOS 26.2. CVSS 9.8 (Critical) reflects network-based unauthenticated access, though EPSS of 0.13% (32nd percentile) suggests low observed exploitation probability. No public exploit identified at time of analysis, and not listed in CISA KEV. This represents a privacy-critical authentication bypass affecting Apple's Photos app across all major platforms.

Apple iOS Authentication Bypass +4
NVD
EPSS 0% CVSS 5.5
MEDIUM This Month

Improper file handling in macOS allows local applications to access protected user data through a logic flaw in the operating system's file access controls. The vulnerability affects macOS Sequoia, Sonoma, and Tahoe, requiring user interaction to trigger exploitation and resulting in unauthorized disclosure of sensitive information without the ability to modify or disable system access. Apple has released patched versions (macOS Sequoia 15.7.3, macOS Sonoma 14.8.3, macOS Tahoe 26.2), with no public exploit code identified at time of analysis.

Apple macOS Information Disclosure
NVD
EPSS 0% CVSS 6.5
MEDIUM This Month

FaceTime caller ID spoofing vulnerability in Apple operating systems allows remote attackers to spoof their caller identity due to inconsistent user interface state management. Affected versions include iOS 18.7.2 and earlier, iPadOS 18.7.2 and earlier, macOS Sequoia 15.7.2 and earlier, macOS Sonoma 14.8.2 and earlier, macOS Tahoe 26.1 and earlier, visionOS 26.1 and earlier, and watchOS 26.1 and earlier. The vulnerability requires no user interaction or authentication and carries low real-world exploitation risk (EPSS 0.07%, percentile 21%), with no public exploit code or active exploitation confirmed.

Apple iOS macOS +1
NVD
EPSS 0% CVSS 7.8
HIGH This Week

Local privilege escalation to root on Apple platforms via integer overflow in timestamp handling allows authenticated users with low-level access to fully compromise system integrity and confidentiality. Affects iOS, iPadOS, macOS (Sequoia, Sonoma, Tahoe), tvOS, visionOS, and watchOS prior to February 2025 security updates. Vendor-released patches available across all platforms. EPSS probability is minimal (0.02%, 4th percentile), and no public exploit identified at time of analysis, though the local attack vector with low complexity and authenticated requirement reduces remote exploitation risk but creates insider threat exposure.

Apple iOS macOS +2
NVD
EPSS 0% CVSS 5.5
MEDIUM This Month

Local apps can access sensitive user data through improved privacy controls in Apple operating systems across iOS, iPadOS, macOS, visionOS, and watchOS. The vulnerability requires local network access and an authenticated user session (PR:L), limiting exposure to installed applications with explicit permissions. Confirmed patches are available across all affected platforms, and exploitation probability is very low (EPSS 0.02%), indicating this is a privacy-boundary issue rather than a critical security flaw.

Apple iOS Information Disclosure
NVD
EPSS 0% CVSS 7.5
HIGH This Week

Password field disclosure in Apple operating systems allows remote observation of credentials during FaceTime screen sharing sessions. Affects iOS/iPadOS 18.x through 18.7.2, iOS/iPadOS 26.0-26.1, macOS Sequoia through 15.7.2, macOS Tahoe through 26.1, and visionOS through 26.1. Attackers with network access to FaceTime sessions can view password fields that should be masked, creating credential exposure risk during remote support or collaboration scenarios. EPSS score of 0.03% (10th percentile) indicates low automated exploitation probability, and no public exploit identified at time of analysis.

Apple iOS Information Disclosure
NVD
EPSS 0% CVSS 8.8
HIGH This Week

Memory corruption via out-of-bounds write in Apple operating systems allows remote attackers to execute arbitrary code when victims process a malicious file. The vulnerability affects macOS (Sonoma 14.x, Sequoia 15.x, Tahoe 26.x), iOS/iPadOS (18.x, 26.x), tvOS, visionOS, and watchOS 26.x. Despite a high CVSS score of 8.8, EPSS data indicates only 0.05% exploitation probability (15th percentile), and no public exploit code or active exploitation is confirmed. The flaw stems from inadequate bounds checking (CWE-787) in file processing routines, requiring user interaction but no authentication, making it a realistic phishing or malicious download target.

Apple iOS macOS +1
NVD
EPSS 0% CVSS 5.5
MEDIUM This Month

Local apps can access sensitive user data through inadequate log redaction in Apple's operating systems, affecting iOS 18.7.2 and earlier, iPadOS 18.7.2 and earlier, iOS 26.1 and earlier, iPadOS 26.1 and earlier, macOS Sonoma 14.8.2 and earlier, macOS Tahoe 26.1 and earlier, visionOS 26.1 and earlier, and watchOS 26.1 and earlier. The vulnerability requires local app execution with limited user privileges but no interaction, resulting in unauthorized read access to sensitive data stored in application logs. While EPSS probability is minimal (0.01%), the local attack vector and high confidentiality impact warrant patching in environments where untrusted apps may be installed.

Apple iOS Information Disclosure
NVD
EPSS 0% CVSS 2.8
LOW Monitor

Memory corruption in Apple operating systems due to insufficient bounds checking allows local authenticated users to cause denial of service through malicious data processing, affecting iOS, iPadOS, macOS, tvOS, visionOS, and watchOS. The vulnerability requires local access and user interaction, with no public exploit identified; EPSS score of 0.02% indicates minimal real-world exploitation probability despite the assigned CVSS score of 2.8.

Apple iOS macOS +2
NVD
EPSS 0% CVSS 5.5
MEDIUM This Month

Local apps on Apple macOS and iPadOS can access sensitive user data through inadequate information disclosure controls, requiring local execution and low-level user privileges. Affected versions include iOS 18.7.2 and earlier, iPadOS 18.7.2 and earlier, macOS Sequoia 15.7.2 and earlier, macOS Sonoma 14.8.2 and earlier, and macOS Tahoe 26.1 and earlier. Apple has released patched versions (iOS 18.7.3, iPadOS 18.7.3, macOS Sequoia 15.7.3, macOS Sonoma 14.8.3, macOS Tahoe 26.2) with improved access controls to restrict unauthorized data exposure. With an EPSS score of 0.02% (4th percentile) and no public exploit code identified at time of analysis, this represents a low real-world exploitation probability despite the moderate CVSS score.

Apple iOS Information Disclosure
NVD
EPSS 0% CVSS 7.8
HIGH This Week

Local privilege escalation in macOS Sequoia (pre-15.7.3) and macOS Tahoe (pre-26.2) allows authenticated users with low-level privileges to gain root access via a permissions flaw. Apple addressed the issue with additional restrictions in the latest updates. EPSS score of 0.01% indicates minimal observed exploitation activity, and no public exploit identified at time of analysis.

Apple macOS Privilege Escalation
NVD
EPSS 0% CVSS 5.5
MEDIUM This Month

Local privilege escalation in macOS allows unprivileged applications to access sensitive user data through a permissions bypass. Affects macOS Sequoia versions prior to 15.7.3 and macOS Tahoe prior to 26.2. Attack requires local system access and user interaction (UI:R). EPSS exploitation probability is very low at 0.02%, and no public exploit code or active exploitation has been reported.

Apple macOS Information Disclosure
NVD
EPSS 0% CVSS 3.3
LOW Monitor

Intel-based Mac computers running macOS Sequoia prior to 15.7.3 or macOS Tahoe prior to 26.2 are vulnerable to a cryptographic downgrade attack that allows unprivileged local applications to bypass code-signing restrictions and access sensitive user data. The vulnerability exploits inadequate validation of signed components, enabling information disclosure through JWT or similar signed-data attacks. Active exploitation has not been confirmed, and the extremely low EPSS score (0.01%) indicates minimal real-world exploitation risk despite the local attack vector.

Apple macOS Information Disclosure
NVD
EPSS 0% CVSS 5.5
MEDIUM This Month

Local privilege escalation on Intel-based macOS systems allows unsigned or weakly-signed applications to access sensitive user data by downgrading code-signing protections through cryptographic validation bypass. The vulnerability affects macOS Sequoia prior to 15.7.3 and macOS Tahoe prior to 26.2, requires user interaction to execute a malicious app, and has an extremely low exploitation probability (EPSS 0.01%) despite moderate CVSS severity. No active exploitation or public exploit code has been identified.

Apple macOS Information Disclosure
NVD
EPSS 0% 4.1 CVSS 5.5
MEDIUM POC KEV THREAT This Month

Apple kernel memory corruption in multiple operating systems allows a malicious application to cause unexpected system termination or write kernel memory via an out-of-bounds write flaw addressed in watchOS 26.1, iOS 18.7.2, and macOS Tahoe 26.1.

Buffer Overflow Apple Memory Corruption
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM This Month

Local privilege escalation in macOS allows authenticated applications to access sensitive user data through insufficient permission restrictions on Sequoia, Sonoma, and Tahoe versions. The vulnerability requires local access and low-privilege user context but enables high-impact confidentiality compromise without requiring user interaction or elevated privileges to trigger. A vendor-released patch is available across all affected macOS versions.

Apple macOS Information Disclosure
NVD
EPSS 0% CVSS 3.3
LOW Monitor

Local privilege escalation in Apple's spellcheck API allows authenticated users to inappropriately access files on macOS, iOS, and related platforms through a logic flaw in access controls. Affected versions include macOS Sonoma 14.x and earlier, macOS Sequoia 15.7.2 and earlier, iOS 18.x and earlier, iPadOS 18.x and earlier, and watchOS 11.x and earlier. This vulnerability requires local access and user-level privileges but carries a low EPSS score (0.01%, percentile 3%) indicating minimal real-world exploitation likelihood at present. No public exploit code or active exploitation has been identified.

Apple iOS macOS +2
NVD
EPSS 0% CVSS 3.3
LOW Monitor

macOS logging system fails to redact protected user data from log entries, allowing local authenticated applications to access sensitive information through log files across Sequoia, Sonoma, and Tahoe versions. Apple addressed this privacy issue by improving data redaction mechanisms in patched versions (macOS Sequoia 15.7.3, Sonoma 14.8.3, Tahoe 26.2). No public exploit identified at time of analysis, with EPSS exploitation probability at 0.01% (3rd percentile), indicating minimal real-world risk despite local attack vector.

Apple macOS Information Disclosure
NVD
EPSS 0% CVSS 3.3
LOW Monitor

Session fixation in macOS Voice Control allows authenticated local users to transcribe another user's activity on the same system, disclosing sensitive information without user interaction. The vulnerability affects macOS Sequoia, Sonoma, and Tahoe and is fixed in versions 15.7.3, 14.8.3, and 26.2 respectively. Real-world risk is minimal due to low EPSS (0.01%), requirement for local access and prior authentication, and the need for Voice Control to be explicitly enabled.

Apple macOS Information Disclosure
NVD
EPSS 0% CVSS 5.5
MEDIUM This Month

Local arbitrary applications on macOS can read sensitive location information due to a permissions validation flaw (CWE-284), affecting macOS Sequoia, Sonoma, and Tahoe. The vulnerability requires user interaction to trigger but grants unauthorized access to location data without proper authorization checks. Apple has released patches in macOS Sequoia 15.7.3, macOS Sonoma 14.8.3, and macOS Tahoe 26.2 to remediate the issue by removing the vulnerable code. No public exploit or active exploitation has been confirmed.

Apple macOS Information Disclosure
NVD
EPSS 0% CVSS 7.8
HIGH This Week

Local privilege escalation in Apple macOS (Sonoma 14.x, Sequoia 15.x, Tahoe 26.x) and iOS/iPadOS 18.x allows authenticated users to gain elevated system privileges through malicious applications exploiting a logic flaw in privilege checking mechanisms. Apple has released patches across all affected platforms (iOS 18.7.3, iPadOS 18.7.3, macOS Sequoia 15.7.3, Sonoma 14.8.3, Tahoe 26.2). No public exploit identified at time of analysis, with EPSS score of 0.01% (3rd percentile) indicating minimal observed exploitation activity.

Apple iOS macOS +1
NVD
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

Use-after-free memory corruption in Apple WebKit allows remote attackers to crash Safari and iOS/iPadOS applications via maliciously crafted web content, resulting in denial of service. The vulnerability affects Safari 26.2, iOS 18.7.2 and 26.2, iPadOS 18.7.2 and 26.2, macOS Tahoe 26.2, visionOS 26.2, and watchOS 26.2. No public exploit code has been identified, and the vulnerability is not confirmed as actively exploited; however, the network-accessible attack vector and low complexity make it a moderate priority despite the low EPSS score.

Apple Use After Free Denial Of Service +3
NVD VulDB
EPSS 0% 4.6 CVSS 7.8
HIGH POC KEV THREAT Act Now

Apple kernel lock state checking flaw allows a malicious application to cause unexpected changes in memory shared between processes, potentially enabling cross-process data manipulation on iOS, macOS, and other Apple platforms.

Apple Buffer Overflow
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM This Month

Improper data access control in macOS allows local applications to read sensitive user data without explicit user consent, exploitable through user interaction. The vulnerability affects macOS Sequoia (before 15.7.3), macOS Sonoma (before 14.8.3), and macOS Tahoe (before 26.2). No public exploit code or active exploitation has been identified; EPSS probability is extremely low at 0.01%, indicating minimal real-world attack likelihood despite the moderate CVSS score.

Apple macOS Information Disclosure
NVD
EPSS 0% CVSS 7.5
HIGH This Week

Mail header parsing flaw in Apple operating systems allows unauthenticated remote attackers to trigger persistent denial-of-service conditions across iOS, iPadOS, macOS, visionOS, and watchOS platforms. The vulnerability affects all major Apple OS releases prior to January 2025 patches (iOS/iPadOS 18.7.2/26.1, macOS Sequoia 15.7.2/Sonoma 14.8.2/Tahoe 26.1, visionOS 26.1, watchOS 26.1). With EPSS exploitation probability at 0.19% (41st percentile) and no public exploit identified at time of analysis, real-world risk appears moderate despite the 7.5 CVSS score.

Apple iOS macOS +5
NVD
Prev Page 8 of 90 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy