Filtered by vendor Apple
Subscriptions
Filtered by product Macos
Subscriptions
Total
4919 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-65741 | 2 Apple, Sublimetext | 2 Macos, Sublime Text 3 | 2025-12-10 | N/A |
| Sublime Text 3 Build 3208 or prior for MacOS is vulnerable to Dylib Injection. An attacker could compile a .dylib file and force the execution of this library in the context of the Sublime Text application. | ||||
| CVE-2025-5471 | 2 Apple, Yandex | 2 Macos, Yandex Telemost | 2025-12-10 | N/A |
| Uncontrolled Search Path Element vulnerability in Yandex Telemost on MacOS allows Search Order Hijacking.This issue affects Telemost: before 2.19.1. | ||||
| CVE-2025-5470 | 2 Apple, Yandex | 2 Macos, Disk | 2025-12-10 | N/A |
| Uncontrolled Search Path Element vulnerability in Yandex Disk on MacOS allows Search Order Hijacking.This issue affects Disk: before 3.2.45.3275. | ||||
| CVE-2025-5469 | 2 Apple, Yandex | 2 Macos, Messenger | 2025-12-10 | N/A |
| Uncontrolled Search Path Element vulnerability in Yandex Messenger on MacOS allows Search Order Hijacking.This issue affects Telemost: before 2.245 | ||||
| CVE-2025-64894 | 3 Adobe, Apple, Microsoft | 3 Dng Software Development Kit, Macos, Windows | 2025-12-10 | 5.5 Medium |
| DNG SDK versions 1.7.0 and earlier are affected by an Integer Overflow or Wraparound vulnerability that could lead to application denial-of-service. An attacker could exploit this issue to cause the application to crash or become unresponsive. Exploitation of this issue requires user interaction in that a victim must open a malicious file. | ||||
| CVE-2025-64784 | 3 Adobe, Apple, Microsoft | 3 Dng Software Development Kit, Macos, Windows | 2025-12-10 | 7.1 High |
| DNG SDK versions 1.7.0 and earlier are affected by a Heap-based Buffer Overflow vulnerability that could lead to memory exposure or application denial of service. An attacker could leverage this vulnerability to disclose sensitive memory information. Exploitation of this issue requires user interaction in that a victim must open a malicious file. | ||||
| CVE-2025-64783 | 3 Adobe, Apple, Microsoft | 3 Dng Software Development Kit, Macos, Windows | 2025-12-10 | 7.8 High |
| DNG SDK versions 1.7.0 and earlier are affected by an Integer Overflow or Wraparound vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file. | ||||
| CVE-2025-64893 | 3 Adobe, Apple, Microsoft | 3 Dng Software Development Kit, Macos, Windows | 2025-12-10 | 7.1 High |
| DNG SDK versions 1.7.0 and earlier are affected by an Out-of-bounds Read vulnerability that could lead to memory exposure or application denial of service. An attacker could leverage this vulnerability to disclose sensitive information stored in memory. Exploitation of this issue requires user interaction in that a victim must open a malicious file. | ||||
| CVE-2025-13639 | 4 Apple, Google, Linux and 1 more | 4 Macos, Chrome, Linux Kernel and 1 more | 2025-12-08 | 8.1 High |
| Inappropriate implementation in WebRTC in Google Chrome prior to 143.0.7499.41 allowed a remote attacker to perform arbitrary read/write via a crafted HTML page. (Chromium security severity: Low) | ||||
| CVE-2025-5317 | 2 Apple, Bitdefender | 3 Macos, Endpoint Security, Endpoint Security Tools | 2025-12-08 | 5.5 Medium |
| An improper access restriction to a folder in Bitdefender Endpoint Security Tools for Mac (BEST) before 7.20.52.200087 allows local users with administrative privileges to bypass the configured uninstall password protection. An unauthorized user with sudo privileges can manually remove the application directory (/Applications/Endpoint Security for Mac.app/) and the related directories within /Library/Bitdefender/AVP without needing the uninstall password. | ||||
| CVE-2025-11935 | 3 Apple, Linux, Wolfssl | 3 Macos, Linux Kernel, Wolfssl | 2025-12-08 | 7.5 High |
| With TLS 1.3 pre-shared key (PSK) a malicious or faulty server could ignore the request for PFS (perfect forward secrecy) and the client would continue on with the connection using PSK without PFS. This happened when a server responded to a ClientHello containing psk_dhe_ke without a key_share extension. The re-use of an authenticated PSK connection that on the clients side unexpectedly did not have PFS, reduces the security of the connection. | ||||
| CVE-2025-11934 | 3 Apple, Linux, Wolfssl | 3 Macos, Linux Kernel, Wolfssl | 2025-12-08 | 2.7 Low |
| Improper input validation in the TLS 1.3 CertificateVerify signature algorithm negotiation in wolfSSL 5.8.2 and earlier on multiple platforms allows for downgrading the signature algorithm used. For example when a client sends ECDSA P521 as the supported signature algorithm the server previously could respond as ECDSA P256 being the accepted signature algorithm and the connection would continue with using ECDSA P256, if the client supports ECDSA P256. | ||||
| CVE-2025-11933 | 3 Apple, Linux, Wolfssl | 3 Macos, Linux Kernel, Wolfssl | 2025-12-08 | 6.5 Medium |
| Improper Input Validation in the TLS 1.3 CKS extension parsing in wolfSSL 5.8.2 and earlier on multiple platforms allows a remote unauthenticated attacker to potentially cause a denial-of-service via a crafted ClientHello message with duplicate CKS extensions. | ||||
| CVE-2025-12893 | 3 Apple, Microsoft, Mongodb | 3 Macos, Windows, Mongodb | 2025-12-05 | 4.2 Medium |
| Clients may successfully perform a TLS handshake with a MongoDB server despite presenting a client certificate not aligning with the documented Extended Key Usage (EKU) requirements. A certificate that specifies extendedKeyUsage but is missing extendedKeyUsage = clientAuth may still be successfully authenticated via the TLS handshake as a client. This issue is specific to MongoDB servers running on Windows or Apple as the expected validation behavior functions correctly on Linux systems. Additionally, MongoDB servers may successfully establish egress TLS connections with servers that present server certificates not aligning with the documented Extended Key Usage (EKU) requirements. A certificate that specifies extendedKeyUsage but is missing extendedKeyUsage = serverAuth may still be successfully authenticated via the TLS handshake as a server. This issue is specific to MongoDB servers running on Apple as the expected validation behavior functions correctly on both Linux and Windows systems. This vulnerability affects MongoDB Server v7.0 versions prior to 7.0.26, MongoDB Server v8.0 versions prior to 8.0.16 and MongoDB Server v8.2 versions prior to 8.2.2 | ||||
| CVE-2025-65842 | 2 Acusticaudio, Apple | 2 Aquarius Helpertool, Macos | 2025-12-05 | 5.1 Medium |
| The Aquarius HelperTool (1.0.003) privileged XPC service on macOS contains multiple flaws that allow local privilege escalation. The service accepts XPC connections from any local process without validating the client's identity, and its authorization logic incorrectly calls AuthorizationCopyRights with a NULL reference, causing all authorization checks to succeed. The executeCommand:authorization:withReply: method then interpolates attacker-controlled input into NSTask and executes it with root privileges. A local attacker can exploit these weaknesses to run arbitrary commands as root, create persistent backdoors, or obtain a fully interactive root shell. | ||||
| CVE-2025-65841 | 2 Acusticaudio, Apple | 2 Aquarius Desktop, Macos | 2025-12-05 | 6.2 Medium |
| Aquarius Desktop 3.0.069 for macOS stores user authentication credentials in the local file ~/Library/Application Support/Aquarius/aquarius.settings using a weak obfuscation scheme. The password is "encrypted" through predictable byte-substitution that can be trivially reversed, allowing immediate recovery of the plaintext value. Any attacker who can read this settings file can fully compromise the victim's Aquarius account by importing the stolen configuration into their own client or login through the vendor website. This results in complete account takeover, unauthorized access to cloud-synchronized data, and the ability to perform authenticated actions as the user. | ||||
| CVE-2025-13992 | 4 Apple, Google, Linux and 1 more | 4 Macos, Chrome, Linux Kernel and 1 more | 2025-12-05 | 4.7 Medium |
| Side-channel information leakage in Navigation and Loading in Google Chrome prior to 139.0.7258.66 allowed a remote attacker to bypass site isolation via a crafted HTML page. (Chromium security severity: Medium) | ||||
| CVE-2025-13630 | 4 Apple, Google, Linux and 1 more | 4 Macos, Chrome, Linux Kernel and 1 more | 2025-12-04 | 8.8 High |
| Type Confusion in V8 in Google Chrome prior to 143.0.7499.41 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High) | ||||
| CVE-2025-13631 | 4 Apple, Google, Linux and 1 more | 4 Macos, Chrome, Linux Kernel and 1 more | 2025-12-04 | 8.8 High |
| Inappropriate implementation in Google Updater in Google Chrome on Mac prior to 143.0.7499.41 allowed a remote attacker to perform privilege escalation via a crafted file. (Chromium security severity: High) | ||||
| CVE-2025-13632 | 4 Apple, Google, Linux and 1 more | 4 Macos, Chrome, Linux Kernel and 1 more | 2025-12-04 | 5.4 Medium |
| Inappropriate implementation in DevTools in Google Chrome prior to 143.0.7499.41 allowed an attacker who convinced a user to install a malicious extension to potentially perform a sandbox escape via a crafted Chrome Extension. (Chromium security severity: High) | ||||