Description
A path handling issue was addressed with improved validation. This issue is fixed in iOS 18.4 and iPadOS 18.4, macOS Sequoia 15.4, macOS Sonoma 14.7.5, tvOS 18.4, watchOS 11.4. A malicious app may be able to access private information.
Published: 2025-03-31
Score: 5.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Confidentiality Breach
Action: Apply Patch
AI Analysis

Impact

A path handling flaw allows a malicious application to read data that should be protected. The weakness is a file path validation error that can grant an app unauthorized access to private files, resulting in a confidentiality compromise. The impact is limited to read‑only access to those files and does not enable arbitrary code execution.

Affected Systems

The vulnerability affects Apple’s mobile and desktop operating systems. Systems prior to iOS 18.4 and iPadOS 18.4 are affected, as well as macOS versions older than Sequoia 15.4 or Sonoma 14.7.5. On television and wearable devices, tvOS 18.4 and watchOS 11.4 are the latest releases that contain the fix, meaning earlier tvOS and watchOS versions remain vulnerable.

Risk and Exploitability

The CVSS score of 5.5 indicates moderate severity, and the EPSS score of less than 1% shows exploitable workloads are very rare. The vulnerability is not listed in CISA’s KEV catalog. The attack vector appears to be local, requiring an adversary to install a malicious app on the device. Once installed, the app can use the flawed path handling to read restricted data, but no elevation of privilege or code execution is required. Updating to the fixed OS releases mitigates the risk.

Generated by OpenCVE AI on April 28, 2026 at 02:54 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update all affected Apple devices to the latest OS versions: iOS 18.4 or later, iPadOS 18.4 or later, macOS Sequoia 15.4 or Sonoma 14.7.5 or later, tvOS 18.4 or later, and watchOS 11.4 or later.
  • If an update is not immediately possible, restrict the installation of new or unverified applications by enabling the App Store restrictions or applying a device management policy that blocks unknown apps.
  • Monitor Apple Security Advisories and errata for any new information or additional mitigations that may be released in future OS updates.

Generated by OpenCVE AI on April 28, 2026 at 02:54 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-8896 A path handling issue was addressed with improved validation. This issue is fixed in macOS Sonoma 14.7.5, iOS 18.4 and iPadOS 18.4, tvOS 18.4, macOS Sequoia 15.4. A malicious app may be able to access private information.
History

Tue, 28 Apr 2026 03:15:00 +0000

Type Values Removed Values Added
Title Path Handling Issue Allowing Malicious App to Access Private Information

Thu, 02 Apr 2026 20:30:00 +0000

Type Values Removed Values Added
Description A path handling issue was addressed with improved validation. This issue is fixed in macOS Sonoma 14.7.5, iOS 18.4 and iPadOS 18.4, tvOS 18.4, macOS Sequoia 15.4. A malicious app may be able to access private information. A path handling issue was addressed with improved validation. This issue is fixed in iOS 18.4 and iPadOS 18.4, macOS Sequoia 15.4, macOS Sonoma 14.7.5, tvOS 18.4, watchOS 11.4. A malicious app may be able to access private information.
References

Mon, 03 Nov 2025 22:30:00 +0000

Type Values Removed Values Added
References

Mon, 03 Nov 2025 20:30:00 +0000

Type Values Removed Values Added
References

Mon, 07 Apr 2025 14:45:00 +0000

Type Values Removed Values Added
First Time appeared Apple
Apple ipados
Apple iphone Os
Apple macos
Apple tvos
CPEs cpe:2.3:o:apple:ipados:*:*:*:*:*:*:*:*
cpe:2.3:o:apple:iphone_os:*:*:*:*:*:*:*:*
cpe:2.3:o:apple:macos:*:*:*:*:*:*:*:*
cpe:2.3:o:apple:tvos:*:*:*:*:*:*:*:*
Vendors & Products Apple
Apple ipados
Apple iphone Os
Apple macos
Apple tvos

Tue, 01 Apr 2025 14:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-200
Metrics cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 31 Mar 2025 22:45:00 +0000

Type Values Removed Values Added
Description A path handling issue was addressed with improved validation. This issue is fixed in macOS Sonoma 14.7.5, iOS 18.4 and iPadOS 18.4, tvOS 18.4, macOS Sequoia 15.4. A malicious app may be able to access private information.
References

Subscriptions

Apple Ipados Iphone Os Macos Tvos
cve-icon MITRE

Status: PUBLISHED

Assigner: apple

Published:

Updated: 2026-04-02T18:16:55.915Z

Reserved: 2025-03-22T00:04:43.720Z

Link: CVE-2025-30454

cve-icon Vulnrichment

Updated: 2025-04-01T13:52:14.080Z

cve-icon NVD

Status : Modified

Published: 2025-03-31T23:15:26.930

Modified: 2026-04-02T19:19:39.890

Link: CVE-2025-30454

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-28T03:00:10Z

Weaknesses