Description
An injection issue was addressed with improved validation. This issue is fixed in macOS Tahoe 26.1. An app may be able to access sensitive user data.
Published: 2025-12-12
Score: 3.3 Low
EPSS: < 1% Very Low
KEV: No
Impact: Sensitive user data disclosure
Action: Update macOS
AI Analysis

Impact

An injection issue in macOS arose from insufficient input validation, permitting an application to read sensitive user data. The weakness is identified as CWE-95, and the fix involves improved validation. The vulnerability does not lead to arbitrary code execution or denial of service, but it potentially exposes private information.

Affected Systems

Apple macOS installations prior to macOS Tahoe 26.1 are affected. Versions newer than or equal to 26.1 contain the remediation.

Risk and Exploitability

Based on the description, it is inferred that an attacker would need to trigger the injection through a local application; remote exploitation is not indicated. The CVSS score of 3.3 reflects a low overall risk, and the EPSS score of < 1% suggests that exploitation is unlikely. The vulnerability is not listed in the CISA KEV catalog, further indicating limited observed exploitation. Consequently, the threat to general users remains low.

Generated by OpenCVE AI on April 28, 2026 at 10:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade macOS to version 26.1 (macOS Tahoe) or later to receive the fixed code.
  • Ensure that all third‑party applications that interact with macOS APIs are updated to leverage the patched code.
  • Monitor system logs for anomalous reads of sensitive data, focusing on applications that previously had known access issues.

Generated by OpenCVE AI on April 28, 2026 at 10:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

References
Link Providers
https://support.apple.com/en-us/125634 cve-icon cve-icon
History

Tue, 28 Apr 2026 10:45:00 +0000

Type Values Removed Values Added
Title macOS Injection Vulnerability Permitting Access to Sensitive User Data

Mon, 15 Dec 2025 22:15:00 +0000

Type Values Removed Values Added
Weaknesses NVD-CWE-noinfo
CPEs cpe:2.3:o:apple:macos:*:*:*:*:*:*:*:*

Mon, 15 Dec 2025 21:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-95
Metrics cvssV3_1

{'score': 3.3, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Sun, 14 Dec 2025 21:30:00 +0000

Type Values Removed Values Added
First Time appeared Apple
Apple macos
Apple macos Tahoe
Vendors & Products Apple
Apple macos
Apple macos Tahoe

Fri, 12 Dec 2025 21:15:00 +0000

Type Values Removed Values Added
Description An injection issue was addressed with improved validation. This issue is fixed in macOS Tahoe 26.1. An app may be able to access sensitive user data.
References

Subscriptions

Apple Macos Macos Tahoe
cve-icon MITRE

Status: PUBLISHED

Assigner: apple

Published:

Updated: 2026-04-02T18:11:31.466Z

Reserved: 2025-04-16T15:24:37.117Z

Link: CVE-2025-43388

cve-icon Vulnrichment

Updated: 2025-12-15T20:26:15.573Z

cve-icon NVD

Status : Analyzed

Published: 2025-12-12T21:15:53.617

Modified: 2025-12-15T22:01:38.240

Link: CVE-2025-43388

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-28T10:30:29Z

Weaknesses