Skip to main content

Apple

Vendor security scorecard – 395 CVEs in the selected period

Period: 30d 90d 6m 1y All
Risk 930
395
CVEs
19
Critical
163
High
0
KEV
11
PoC
16
Unpatched C/H
90.9%
Patch Rate
0.1%
Avg EPSS

Severity Breakdown

CRITICAL
19
HIGH
163
MEDIUM
199
LOW
13

Monthly CVE Trend

Top Risky CVEs

CVE Summary Severity CVSS EPSS Priority Signals
CVE-2021-47944 memono Notepad 4.2 contains a denial of service vulnerability that allows attackers to crash the application by pasting excessively long character buffers into note fields. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available. HIGH 8.7 0.0% 64
PoC No patch
CVE-2021-47973 Sticky Notes Widget 3.0.6 contains a denial of service vulnerability that allows attackers to crash the application by pasting excessively long character strings into note fields. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available. HIGH 8.7 0.0% 64
PoC No patch
CVE-2026-48801 Denial of service in linkify-it (npm) through v5.0.0 lets remote unauthenticated attackers wedge a rendering worker by submitting tens of KB of repeated email/link-like text. The core public API LinkifyIt.prototype.match runs an O(N²) scan loop that re-slices the input and re-runs unanchored fuzzy regex searches once per match, so 64 KB of "a@b.com" burns ~2.5 s of single-threaded CPU and 128 KB ~10 s. The flaw is inherited by markdown-it (~21.6M weekly npm downloads) whenever linkify:true is set, exposing forums, chat, wikis and AI chat UIs; publicly available exploit code (a PoC in the GHSA advisory) exists, but there is no evidence of active exploitation. HIGH 8.7 0.4% 64
PoC
CVE-2026-47114 Arbitrary command execution in IINA media player for macOS versions prior to 1.4.3 allows remote attackers to run shell commands as the logged-in user by tricking the victim into approving an iina://open URL containing malicious mpv_-prefixed parameters. Publicly available exploit code exists and a vendor patch has been released; exploitation requires a single browser protocol prompt approval (UI:A) but no authentication and no valid media file. HIGH 8.6 0.2% 63
PoC
CVE-2026-10557 Hard-coded MQTT broker credentials in Yarbo Android and iOS applications allow remote unauthenticated attackers to subscribe to and publish on the cloud MQTT brokers serving the entire global Yarbo robot fleet. Because the credentials are identical across all users and devices and trivially extractable via APK decompilation, anyone knowing a target robot's serial number can read its telemetry or send arbitrary commands. No public exploit identified at time of analysis, but the CVSS 4.0 base score of 9.3 and CISA ICS advisory reflect the systemic, fleet-wide nature of the exposure. CRITICAL 9.3 0.0% 56
CVE-2026-52806 Remote code execution in Gogs through 0.14.2 allows authenticated users (and unauthenticated attackers on default-configured instances with open registration) to execute arbitrary commands as the Gogs server process by crafting a pull request whose base branch name injects a `--exec` flag into the underlying `git rebase` invocation. A working Python proof-of-concept exists and has been validated end-to-end against Docker, Linux binary, and Windows installations, yielding shell access as the `git` user. No CISA KEV listing or EPSS data is provided, so this is treated as publicly available exploit code rather than confirmed active exploitation. CRITICAL 9.9 1.0% 51
CVE-2026-53407 Privilege escalation in the Zoom Workplace mobile app (Android before 7.0.4, iOS before 7.0.3) stems from improper authorization in the handler that processes the app's custom URL scheme, allowing an unauthenticated actor to elevate privileges via network access. Zoom self-reported and patched the flaw, and no public exploit identified at time of analysis; EPSS remains very low (0.04%, 12th percentile) and CISA SSVC marks exploitation as none, indicating no observed activity despite the 9.8 CVSS score. CRITICAL 9.8 0.0% 49
CVE-2026-14802 OS command injection in create-react-app's react-dev-utils component enables remote code execution on macOS developer workstations running version 5.0.1 or earlier. The vulnerability resides in the startBrowserProcess function of openBrowser.js, which processes unsanitized input that reaches a shell invocation. A publicly available proof-of-concept exploit exists via the project's GitHub issue tracker; no vendor patch has been released and the maintainers have not responded to disclosure, leaving the entire supported version history of this widely-used but now-archived tool permanently unpatched. MEDIUM 5.5 1.3% 49
PoC No patch
CVE-2026-33646 Arbitrary code execution in mise (jdx/mise) versions prior to 2026.3.10 allows attackers to run shell commands as the victim user simply by having them `cd` into a directory containing a malicious `.tool-versions` file. Unlike `.mise.toml`, `.tool-versions` files bypass the trust verification gate in non-paranoid mode, so the Tera template engine's `exec()` function fires silently from the shell `hook-env`. No public exploit identified at time of analysis beyond the detailed reporter PoC, but exploitation is trivial and a working PoC is embedded in the advisory. CRITICAL 9.6 0.7% 49
CVE-2026-13843 Insufficient validation of untrusted input in Chrome for iOS in Google Chrome on iOS prior to 150.0.7871.47 allowed a remote attacker who had compromi CRITICAL 9.6 0.2% 48
CVE-2026-42090 Remote code execution in Notesnook Desktop (Electron-based) via stored XSS in the note export-to-PDF flow allows unauthenticated remote attackers to execute arbitrary code when a user opens a maliciously crafted note. The vulnerability stems from unescaped HTML in exported note fields (title, headline, content) that execute in an Electron iframe with nodeIntegration enabled and contextIsolation disabled, escalating browser-based XSS to full RCE. Affects Notesnook Web/Desktop <3.3.15 and iOS/Android <3.3.20. CVSS 9.6 with changed scope (S:C) reflects privilege escalation from browser context to system-level code execution. EPSS and KEV data not provided, but requires user interaction (UI:R) to export/view the malicious note, limiting automated exploitation. CRITICAL 9.6 0.2% 48
CVE-2026-11165 Sandbox escape in Google Chrome on iOS before 149.0.7827.53 can be triggered by a remote attacker who lures a user to a malicious HTML page that abuses a use-after-free condition in the WebMIDI subsystem. Successful exploitation breaks out of the renderer sandbox with high confidentiality, integrity, and availability impact, though no public exploit is identified at time of analysis and EPSS probability is very low (0.03%). CRITICAL 9.6 0.0% 48
CVE-2026-44211 ## Summary The `kanban` npm package (used by the `cline` CLI) starts a WebSocket server on `127.0.0.1:3484` with no Origin header validation. Any web CRITICAL 9.6 0.0% 48
No patch
CVE-2026-53649 Unauthenticated remote code execution in Joro ≤ v1.1.0 (BishopFox's offensive-security tooling) allows an attacker to gain a shell as the operator's user when that operator merely visits a malicious web page. In the default proxy mode, Joro exposes an unauthenticated local API on 127.0.0.1:9090 with a wildcard CORS policy; because plugin uploads use the CORS-safelisted multipart/form-data content type, cross-origin JavaScript can upload a native Go plugin and trigger a restart through the operator's browser with no preflight or credentials, and the plugin's init() executes on load. No public exploit is identified at time of analysis, but the advisory documents a complete, reproducible attack chain, and the assigned CVSS is 9.6 (Critical). CRITICAL 9.6 &ndash; 48
CVE-2026-44670 Remote code execution in SiYuan's Electron desktop application allows authenticated attackers (or browser extensions on localhost) to inject malicious JavaScript through unescaped Attribute View names, escalating from stored XSS to arbitrary system command execution. The Go kernel backend stores AV names without HTML escaping, then embeds them via string replacement into HTML templates pushed over WebSocket. Three TypeScript renderer paths (render.ts, Title.ts, transaction.ts) consume this data using innerHTML/outerHTML without sanitization. Because the Electron main window runs with nodeIntegration:true and contextIsolation:false, script injection grants full Node.js API access—enabling attackers to spawn child processes (calc.exe/xcalc demonstrated in PoC), exfiltrate SSH keys, install backdoors, or pivot to cloud credentials. Payloads persist in JSON files under data/storage/av/, replicate across all sync transports (S3/WebDAV/cloud), survive .sy.zip export-import, and trigger for any user role (Administrator/Editor/Reader/Visitor) opening a document bound to the poisoned database view. CVSS 9.4 (Network/Low/None/High Confidentiality-Integrity-Availability + Scope Changed) reflects worst-case remote network vector, though the primary realistic attack path is via installed browser extensions (chrome-extension:// Origin explicitly allowlisted in session.go:277) calling the /api/transactions endpoint as an auto-granted admin on default installations with no Access Authorization Code. GitHub advisory GHSA-2h64-c999-c9r6 confirms patch available in kernel commit 0.0.0-20260512140701-d7b77d945e0d. No public exploit code identified at time of analysis, but detailed reproduction steps with curl payloads and Electron DevTools inspection are published in the advisory. CRITICAL 9.4 0.1% 47

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy