The vulnerability arises from an insufficient user consent step when resolving symbolic links, allowing an attacker who controls a website to read sensitive user data that the site otherwise could not access. This flaw is a classic path‑traversal issue (CWE‑59) and can lead to the disclosure of files such as user documents, photos, or passwords. The effect is that a malicious web page can bypass the normal data‑access controls and retrieve private information from the user’s device.

Apple macOS is affected, with the problem present in the Sequoia releases before version 15.6. The fix was introduced in macOS Sequoia 15.6, which adds an additional prompt for user consent before resolving symlinks. Devices running Sequoia 15.5 or older are vulnerable, while 15.6 and newer are not affected.

The CVSS score of 6.5 places the flaw in the moderate category, and the EPSS score of less than 1 percent indicates a very low short‑term likelihood of exploitation. The vulnerability is not listed in CISA’s KEV catalog. The attack vector is likely remote, leveraging a website that prompts a user to resolve a symlink. While an attacker could potentially read sensitive data, no privilege escalation or persistent compromise is possible. Consequently, the overall risk remains mitigated by the low exploitation probability, but the availability of a user‑interactive fix encourages timely patching.