ReportizFlow
Filtered by vendor Apple
Subscriptions
Filtered by product Macos
Subscriptions
Total
6267 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-5470 | 2 Apple, Yandex | 2 Macos, Disk | 2026-04-15 | N/A |
| Uncontrolled Search Path Element vulnerability in Yandex Disk on MacOS allows Search Order Hijacking.This issue affects Disk: before 3.2.45.3275. | ||||
| CVE-2025-57443 | 2 Apple, Frostwire | 2 Macos, Frostwire | 2026-04-15 | 5.1 Medium |
| FrostWire 6.14.0-build-326 for macOS contains permissive entitlements (allow-dyld-environment-variables, disable-library-validation) that allow unprivileged local attackers to inject code into the FrostWire process via the DYLD_INSERT_LIBRARIES environment variable. This allows escalated privileges to arbitrary TCC-approved directories. | ||||
| CVE-2025-58131 | 2 Apple, Zoom | 4 Macos, Vdi Vmware, Workplace and 1 more | 2026-04-15 | 6.6 Medium |
| Race condition in the Zoom Workplace VDI Plugin macOS Universal installer for VMware Horizon before version 6.4.10 (or before 6.2.15 and 6.3.12 in their respective tracks) may allow an authenticated user to conduct a disclosure of information via network access. | ||||
| CVE-2025-9190 | 2 Apple, Cursor | 2 Macos, Cursor | 2026-04-15 | N/A |
| The configuration of Cursor on macOS, specifically the "RunAsNode" fuse enabled, allows a local attacker with unprivileged access to execute arbitrary code that inherits Cursor TCC (Transparency, Consent, and Control) permissions. Acquired resource access is limited to previously granted permissions by the user. Accessing other resources beyond previously granted TCC permissions will prompt the user for approval in the name of Cursor, potentially disguising attacker's malicious intent. This issue was detected in 15.4.1 version of Cursor. Project maintainers decided not to fix this issue, because a scenario including a local attacker falls outside their defined threat model. | ||||
| CVE-2025-53594 | 2 Apple, Qnap | 4 Macos, Qfinder Pro, Qsync and 1 more | 2026-04-15 | N/A |
| A path traversal vulnerability has been reported to affect several product versions. If a local attacker gains a user account, they can then exploit the vulnerability to read the contents of unexpected files or system data. We have already fixed the vulnerability in the following versions: Qfinder Pro Mac 7.13.0 and later Qsync for Mac 5.1.5 and later QVPN Device Client for Mac 2.2.8 and later | ||||
| CVE-2025-64984 | 3 Apple, Kaspersky, Linux | 5 Macos, Endpoint Security, Industrial Cybersecurity and 2 more | 2026-04-15 | 6.1 Medium |
| Kaspersky has fixed a security issue in Kaspersky Endpoint Security for Linux (any version with anti-virus databases prior to 18.11.2025), Kaspersky Industrial CyberSecurity for Linux Nodes (any version with anti-virus databases prior to 18.11.2025), and Kaspersky Endpoint Security for Mac (12.0.0.325, 12.1.0.553, and 12.2.0.694 with anti-virus databases prior to 18.11.2025) that could have allowed a reflected XSS attack to be carried out by an attacker using phishing techniques. | ||||
| CVE-2025-15032 | 3 Apple, Dia, The Browser Company | 3 Macos, Dia, Dia | 2026-04-15 | 7.4 High |
| Missing about:blank indicator in custom-sized new windows in Dia before 1.9.0 on macOS could allow an attacker to spoof a trusted domain in the window title and mislead users about the current site. | ||||
| CVE-2025-11462 | 2 Amazon, Apple | 2 Aws Client Vpn, Macos | 2026-04-15 | 7.8 High |
| Improper Link Resolution Before File Access in the AWS VPN Client for macOS versions 1.3.2- 5.2.0 allows a local user to execute code with elevated privileges. Insufficient validation checks on the log destination directory during log rotation could allow a non-administrator user to create a symlink from a client log file to a privileged location. On log rotation, this could lead to code execution with root privileges if the user made crafted API calls which injected arbitrary code into the log file. We recommend users upgrade to AWS VPN Client for macOS 5.2.1 or the latest version. | ||||
| CVE-2025-15523 | 2 Apple, Inkscape | 2 Macos, Inkscape | 2026-04-15 | 4.4 Medium |
| MacOS version of Inkscape bundles a Python interpreter that inherits the Transparency, Consent, and Control (TCC) permissions granted by the user to the main application bundle. An attacker with local user access can invoke this interpreter with arbitrary commands or scripts, leveraging the application's previously granted TCC permissions to access user's files in privacy-protected folders without triggering user prompts. Accessing other resources beyond previously granted TCC permissions will prompt the user for approval in the name of Inkscape, potentially disguising attacker's malicious intent. This issue has been fixed in 1.4.3 version of Inkscape. | ||||
| CVE-2025-53811 | 2 Apple, Mosh | 2 Macos, Mosh | 2026-04-15 | N/A |
| The configuration of Mosh-Pro on macOS, specifically the "RunAsNode" fuse enabled, allows a local attacker with unprivileged access to execute arbitrary code that inherits Mosh-Pro TCC (Transparency, Consent, and Control) permissions. Acquired resource access is limited to previously granted permissions by the user. Accessing other resources beyond previously granted TCC permissions will prompt the user for approval in the name of Mosh-Pro, potentially disguising attacker's malicious intent. This issue was detected in 1.3.2 version of Mosh-Pro. Since authors did not respond to messages from CNA, patching status is unknown. | ||||
| CVE-2025-7961 | 2 Apple, Wulkano | 2 Macos, Kap | 2026-04-15 | N/A |
| Improper Control of Generation of Code ('Code Injection') vulnerability in Wulkano KAP on MacOS allows TCC Bypass.This issue affects KAP: 3.6.0. | ||||
| CVE-2025-7007 | 3 Apple, Avast, Linux | 3 Macos, Antivirus, Linux | 2026-04-15 | 7.5 High |
| NULL Pointer Dereference vulnerability in Avast Antivirus on MacOS, Avast Anitvirus on Linux when scanning a malformed Windows PE file causes the antivirus process to crash.This issue affects Antivirus: 16.0.0; Anitvirus: 3.0.3. | ||||
| CVE-2024-7457 | 2 Apple, Stash | 2 Macos, Stash | 2026-04-15 | 7.8 High |
| The ws.stash.app.mac.daemon.helper tool contains a vulnerability caused by an incorrect use of macOS’s authorization model. Instead of validating the client's authorization reference, the helper invokes AuthorizationCopyRights() using its own privileged context (root), effectively authorizing itself rather than the client. As a result, it grants the system.preferences.admin right internally, regardless of the requesting client's privileges. This flawed logic allows unprivileged clients to invoke privileged operations via XPC, including unauthorized changes to system-wide network preferences such as SOCKS, HTTP, and HTTPS proxy settings. The absence of proper code-signing checks further enables arbitrary processes to exploit this flaw, leading to man-in-the-middle (MITM) attacks through traffic redirection. | ||||
| CVE-2024-30164 | 3 Apple, Codesys, Microsoft | 3 Macos, Linux, Windows | 2026-04-15 | 6.7 Medium |
| Amazon AWS Client VPN has a buffer overflow that could potentially allow a local actor to execute arbitrary commands with elevated permissions. This is resolved in 3.11.1 on Windows, 3.9.1 on macOS, and 3.12.1 on Linux. NOTE: although the macOS resolution is the same as for CVE-2024-30165, this vulnerability on macOS is not the same as CVE-2024-30165. | ||||
| CVE-2025-15246 | 2 Aizuda, Apple | 2 Snail-job, Macos | 2026-04-15 | 6.3 Medium |
| A vulnerability was determined in aizuda snail-job up to 1.7.0 on macOS. Affected by this vulnerability is the function FurySerializer.deserialize of the component API. This manipulation of the argument argsStr causes deserialization. Remote exploitation of the attack is possible. The exploit has been publicly disclosed and may be utilized. | ||||
| CVE-2026-28815 | 1 Apple | 2 Macos, Swift-crypto | 2026-04-14 | 7.5 High |
| A remote attacker can supply a short X-Wing HPKE encapsulated key and trigger an out-of-bounds read in the C decapsulation path, potentially causing a crash or memory disclosure depending on runtime protections. This issue is fixed in swift-crypto version 4.3.1. | ||||
| CVE-2026-5906 | 4 Apple, Google, Linux and 1 more | 4 Macos, Chrome, Linux Kernel and 1 more | 2026-04-14 | 4.3 Medium |
| Incorrect security UI in Omnibox in Google Chrome on Android prior to 147.0.7727.55 allowed a remote attacker to spoof the contents of the Omnibox (URL bar) via a crafted HTML page. (Chromium security severity: Low) | ||||
| CVE-2026-5908 | 4 Apple, Google, Linux and 1 more | 4 Macos, Chrome, Linux Kernel and 1 more | 2026-04-14 | 8.8 High |
| Integer overflow in Media in Google Chrome prior to 147.0.7727.55 allowed a remote attacker to potentially exploit heap corruption via a crafted video file. (Chromium security severity: Low) | ||||
| CVE-2026-5909 | 4 Apple, Google, Linux and 1 more | 4 Macos, Chrome, Linux Kernel and 1 more | 2026-04-14 | 8.8 High |
| Integer overflow in Media in Google Chrome prior to 147.0.7727.55 allowed a remote attacker to potentially exploit heap corruption via a crafted video file. (Chromium security severity: Low) | ||||
| CVE-2026-5858 | 4 Apple, Google, Linux and 1 more | 4 Macos, Chrome, Linux Kernel and 1 more | 2026-04-14 | 8.8 High |
| Heap buffer overflow in WebML in Google Chrome prior to 147.0.7727.55 allowed a remote attacker to execute arbitrary code via a crafted HTML page. (Chromium security severity: Critical) | ||||