Description
A parsing issue in the handling of directory paths was addressed with improved path validation. This issue is fixed in iOS 18.7.5 and iPadOS 18.7.5, iOS 26.3 and iPadOS 26.3, macOS Sequoia 15.7.4, macOS Sonoma 14.8.4, macOS Tahoe 26.3, visionOS 26.3. An app may be able to access sensitive user data.
Published: 2026-02-11
Score: 5.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Sensitive Data Exposure
Action: Apply Patch
AI Analysis

Impact

A parsing issue in the handling of directory paths was reported for multiple Apple operating systems. The vulnerability may allow an application to access sensitive user data. The weakness aligns with a classic path‑traversal flaw (CWE‑22), inferred from the nature of the directory path parsing problem stated in the advisory.

Affected Systems

iOS releases 18.7.5 and 26.3, iPadOS releases 18.7.5 and 26.3, macOS Sequoia 15.7.4, macOS Sonoma 14.8.4, macOS Tahoe 26.3, and visionOS 26.3 are vulnerable. Devices running versions older than these lists are affected.

Risk and Exploitability

The CVSS score of 5.5 indicates moderate potential impact, and the EPSS score of less than 1 % suggests a very low probability of exploitation. The vulnerability is not listed in the CISA KEV catalog, implying that no widespread exploitation has been observed. Based on the description, it is inferred that an attacker could exploit this issue by delivering or running a malicious application in a context that the system trusts; the application could then traverse directories and read files that should be out of reach. Because the flaw does not provide remote code execution or privilege escalation, the risk is confined to applications already permitted to run on the device.

Generated by OpenCVE AI on April 16, 2026 at 00:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to iOS 18.7.5 or later, iOS 26.3 or later, iPadOS 18.7.5 or later, iPadOS 26.3 or later, macOS Sequoia 15.7.4 or later, macOS Sonoma 14.8.4 or later, macOS Tahoe 26.3 or later, and visionOS 26.3 or newer
  • Ensure that all installed applications are obtained from trusted sources and comply with Apple’s sandboxing policies
  • Watch Apple’s support site for patch releases and apply them as soon as they are available

Generated by OpenCVE AI on April 16, 2026 at 00:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 16 Apr 2026 01:15:00 +0000

Type Values Removed Values Added
Title Apple OS Directory Path Parsing Flaw Enabling Unauthorized Data Access

Thu, 02 Apr 2026 20:30:00 +0000

Type Values Removed Values Added
Description A parsing issue in the handling of directory paths was addressed with improved path validation. This issue is fixed in macOS Tahoe 26.3, macOS Sonoma 14.8.4, macOS Sequoia 15.7.4, iOS 18.7.5 and iPadOS 18.7.5, visionOS 26.3, iOS 26.3 and iPadOS 26.3. An app may be able to access sensitive user data. A parsing issue in the handling of directory paths was addressed with improved path validation. This issue is fixed in iOS 18.7.5 and iPadOS 18.7.5, iOS 26.3 and iPadOS 26.3, macOS Sequoia 15.7.4, macOS Sonoma 14.8.4, macOS Tahoe 26.3, visionOS 26.3. An app may be able to access sensitive user data.

Fri, 13 Feb 2026 15:00:00 +0000

Type Values Removed Values Added
First Time appeared Apple ipados
Apple iphone Os
CPEs cpe:2.3:o:apple:ipados:*:*:*:*:*:*:*:*
cpe:2.3:o:apple:iphone_os:*:*:*:*:*:*:*:*
cpe:2.3:o:apple:macos:*:*:*:*:*:*:*:*
cpe:2.3:o:apple:visionos:*:*:*:*:*:*:*:*
Vendors & Products Apple ipados
Apple iphone Os

Thu, 12 Feb 2026 19:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-22
Metrics cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 12 Feb 2026 09:45:00 +0000

Type Values Removed Values Added
First Time appeared Apple
Apple ios And Ipados
Apple macos
Apple visionos
Vendors & Products Apple
Apple ios And Ipados
Apple macos
Apple visionos

Wed, 11 Feb 2026 23:15:00 +0000

Type Values Removed Values Added
Description A parsing issue in the handling of directory paths was addressed with improved path validation. This issue is fixed in macOS Tahoe 26.3, macOS Sonoma 14.8.4, macOS Sequoia 15.7.4, iOS 18.7.5 and iPadOS 18.7.5, visionOS 26.3, iOS 26.3 and iPadOS 26.3. An app may be able to access sensitive user data.
References

Subscriptions

Apple Ios And Ipados Ipados Iphone Os Macos Visionos
cve-icon MITRE

Status: PUBLISHED

Assigner: apple

Published:

Updated: 2026-04-02T18:23:29.915Z

Reserved: 2025-11-11T14:43:07.864Z

Link: CVE-2026-20653

cve-icon Vulnrichment

Updated: 2026-02-12T19:08:31.413Z

cve-icon NVD

Status : Modified

Published: 2026-02-11T23:16:08.130

Modified: 2026-04-02T19:21:18.023

Link: CVE-2026-20653

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T01:00:19Z

Weaknesses