Filtered by vendor Apple
Subscribe
Total
14428 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2021-44228 | 12 Apache, Apple, Bentley and 9 more | 166 Log4j, Xcode, Synchro and 163 more | 2026-02-20 | 9.3 HIGH | 10.0 CRITICAL |
| Apache Log4j2 2.0-beta9 through 2.15.0 (excluding security releases 2.12.2, 2.12.3, and 2.3.1) JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled. From log4j 2.15.0, this behavior has been disabled by default. From version 2.16.0 (along with 2.12.2, 2.12.3, and 2.3.1), this functionality has been completely removed. Note that this vulnerability is specific to log4j-core and does not affect log4net, log4cxx, or other Apache Logging Services projects. | |||||
| CVE-2025-64724 | 2 Apple, Arduino | 2 Macos, Arduino Ide | 2026-02-19 | N/A | 7.3 HIGH |
| Arduino IDE is an integrated development environment. Prior to version 2.3.7, Arduino IDE for macOS is installed with world-writable file permissions on sensitive application components, allowing any local user to replace legitimate files with malicious code. When another user launches the application, the malicious code executes with that user's privileges, enabling privilege escalation and unauthorized access to sensitive data. The fix is included starting from the `2.3.7` release. | |||||
| CVE-2025-64723 | 2 Apple, Arduino | 2 Macos, Arduino Ide | 2026-02-19 | N/A | 4.4 MEDIUM |
| Arduino IDE is an integrated development environment. Prior to version 2.3.7, Arduino IDE for macOS was configured with overly permissive security entitlements that could bypass macOS Hardened Runtime protections. This configuration allows attackers to inject malicious dynamic libraries into the application process, gaining access to all TCC (Transparency, Consent, and Control) permissions granted to the application. The fix is included starting from the `2.3.7 ` release. | |||||
| CVE-2026-20618 | 1 Apple | 1 Macos | 2026-02-18 | N/A | 5.5 MEDIUM |
| An issue was addressed with improved handling of temporary files. This issue is fixed in macOS Tahoe 26.3. An app may be able to access user-sensitive data. | |||||
| CVE-2026-20642 | 1 Apple | 2 Ipados, Iphone Os | 2026-02-18 | N/A | 2.4 LOW |
| An input validation issue was addressed. This issue is fixed in iOS 26.3 and iPadOS 26.3. A person with physical access to an iOS device may be able to access photos from the lock screen. | |||||
| CVE-2026-20603 | 1 Apple | 1 Macos | 2026-02-18 | N/A | 4.4 MEDIUM |
| This issue was addressed with improved redaction of sensitive information. This issue is fixed in macOS Tahoe 26.3. An app with root privileges may be able to access private information. | |||||
| CVE-2025-14714 | 2 Apple, Libreoffice | 2 Macos, Libreoffice | 2026-02-18 | N/A | 6.5 MEDIUM |
| An Authentication Bypass vulnerability existed where the application bundled an interpreter (Python) that inherits the Transparency, Consent, and Control (TCC) permissions granted by the user to the main application bundle By executing the bundled interpreter directly the attacker's scripts run with the application's TCC privileges In fixed versions parent-constraints are used to allow only the main application to launch interpreter with those permissions This issue affects LibreOffice on macOS: from 25.2 before < 25.2.4. | |||||
| CVE-2026-20629 | 1 Apple | 1 Macos | 2026-02-17 | N/A | 5.5 MEDIUM |
| A privacy issue was addressed with improved handling of temporary files. This issue is fixed in macOS Tahoe 26.3. An app may be able to access user-sensitive data. | |||||
| CVE-2026-20640 | 1 Apple | 2 Ipados, Iphone Os | 2026-02-17 | N/A | 4.6 MEDIUM |
| An inconsistent user interface issue was addressed with improved state management. This issue is fixed in iOS 26.3 and iPadOS 26.3. An attacker with physical access to iPhone may be able to take and view screenshots of sensitive data from the iPhone during iPhone Mirroring with Mac. | |||||
| CVE-2026-20681 | 1 Apple | 1 Macos | 2026-02-13 | N/A | 3.3 LOW |
| A privacy issue was addressed with improved private data redaction for log entries. This issue is fixed in macOS Tahoe 26.3. An app may be able to access information about a user's contacts. | |||||
| CVE-2026-20646 | 1 Apple | 1 Macos | 2026-02-13 | N/A | 3.3 LOW |
| A logging issue was addressed with improved data redaction. This issue is fixed in macOS Tahoe 26.3. A malicious app may be able to read sensitive location information. | |||||
| CVE-2023-28322 | 4 Apple, Fedoraproject, Haxx and 1 more | 13 Macos, Fedora, Curl and 10 more | 2026-02-13 | N/A | 3.7 LOW |
| An information disclosure vulnerability exists in curl <v8.1.0 when doing HTTP(S) transfers, libcurl might erroneously use the read callback (`CURLOPT_READFUNCTION`) to ask for data to send, even when the `CURLOPT_POSTFIELDS` option has been set, if the same handle previously wasused to issue a `PUT` request which used that callback. This flaw may surprise the application and cause it to misbehave and either send off the wrong data or use memory after free or similar in the second transfer. The problem exists in the logic for a reused handle when it is (expected to be) changed from a PUT to a POST. | |||||
| CVE-2022-42916 | 4 Apple, Fedoraproject, Haxx and 1 more | 4 Macos, Fedora, Curl and 1 more | 2026-02-13 | N/A | 7.5 HIGH |
| In curl before 7.86.0, the HSTS check could be bypassed to trick it into staying with HTTP. Using its HSTS support, curl can be instructed to use HTTPS directly (instead of using an insecure cleartext HTTP step) even when HTTP is provided in the URL. This mechanism could be bypassed if the host name in the given URL uses IDN characters that get replaced with ASCII counterparts as part of the IDN conversion, e.g., using the character UTF-8 U+3002 (IDEOGRAPHIC FULL STOP) instead of the common ASCII full stop of U+002E (.). The earliest affected version is 7.77.0 2021-05-26. | |||||
| CVE-2022-32221 | 5 Apple, Debian, Haxx and 2 more | 13 Macos, Debian Linux, Curl and 10 more | 2026-02-13 | N/A | 9.8 CRITICAL |
| When doing HTTP(S) transfers, libcurl might erroneously use the read callback (`CURLOPT_READFUNCTION`) to ask for data to send, even when the `CURLOPT_POSTFIELDS` option has been set, if the same handle previously was used to issue a `PUT` request which used that callback. This flaw may surprise the application and cause it to misbehave and either send off the wrong data or use memory after free or similar in the subsequent `POST` request. The problem exists in the logic for a reused handle when it is changed from a PUT to a POST. | |||||
| CVE-2026-20619 | 1 Apple | 1 Macos | 2026-02-13 | N/A | 5.5 MEDIUM |
| A logging issue was addressed with improved data redaction. This issue is fixed in macOS Sequoia 15.7.4, macOS Tahoe 26.3. An app may be able to access sensitive user data. | |||||
| CVE-2026-20623 | 1 Apple | 1 Macos | 2026-02-13 | N/A | 5.5 MEDIUM |
| A permissions issue was addressed by removing the vulnerable code. This issue is fixed in macOS Tahoe 26.3. An app may be able to access protected user data. | |||||
| CVE-2026-20674 | 1 Apple | 2 Ipados, Iphone Os | 2026-02-13 | N/A | 4.6 MEDIUM |
| A privacy issue was addressed by removing sensitive data. This issue is fixed in iOS 26.3 and iPadOS 26.3. An attacker with physical access to a locked device may be able to view sensitive user information. | |||||
| CVE-2026-20662 | 1 Apple | 1 Macos | 2026-02-13 | N/A | 4.6 MEDIUM |
| An authorization issue was addressed with improved state management. This issue is fixed in macOS Sequoia 15.7.4, macOS Tahoe 26.3. An attacker with physical access to a locked device may be able to view sensitive user information. | |||||
| CVE-2026-2319 | 4 Apple, Google, Linux and 1 more | 4 Macos, Chrome, Linux Kernel and 1 more | 2026-02-13 | N/A | 7.5 HIGH |
| Race in DevTools in Google Chrome prior to 145.0.7632.45 allowed a remote attacker who convinced a user to engage in specific UI gestures and install a malicious extension to potentially exploit object corruption via a malicious file. (Chromium security severity: Medium) | |||||
| CVE-2026-2318 | 4 Apple, Google, Linux and 1 more | 4 Macos, Chrome, Linux Kernel and 1 more | 2026-02-13 | N/A | 6.5 MEDIUM |
| Inappropriate implementation in PictureInPicture in Google Chrome prior to 145.0.7632.45 allowed a remote attacker who convinced a user to engage in specific UI gestures to perform UI spoofing via a crafted HTML page. (Chromium security severity: Medium) | |||||