Main Vulnerability Database Vulnerabilities #VU124395

Path traversal in macOS - CVE-2026-28816

Published: March 25, 2026

Vulnerability identifier: #VU124395

CSH Severity: Low

CVSS v4.0: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear

CVE-ID: CVE-2026-28816

CWE-ID: CWE-22

Exploitation vector: Local access

Exploit availability: No public exploit available

Vendor: Apple Inc.

Affected software:
macOS

Detailed vulnerability description

The vulnerability allows a local user to execute arbitrary code or escalate privileges.

The vulnerability exists due to improper input validation in the Notes component when opening a specially crafted file. A local user can open a malicious file to trigger the vulnerability and execute arbitrary code or escalate privileges.

Successful exploitation may allow the attacker to execute code in the context of the current user or gain elevated privileges if the Notes application runs with higher privileges.

How to mitigate CVE-2026-28816

Install update from vendor's website.

Sources

https://support.apple.com/en-us/126794

Path traversal in macOS - CVE-2026-28816

Detailed vulnerability description

How to mitigate CVE-2026-28816

Sources

Please verify you're human