Apple patched at least 21 vulnerabilities across every platform in active support on March 25, 2026. Cisco released its March 2026 semiannual IOS and IOS XE advisory bundle, covering CAPWAP, DHCP snooping, and IKEv2 flaws in enterprise network infrastructure. Two npm packages (node-tesseract-ocr and pdf-image) received CVSS 9.8 command injection CVEs that allow OS-level compromise through unsanitised file paths.
Apple
Apple's updates cover macOS Tahoe 26.4, Sequoia 15.7.5, Sonoma 14.8.5, iOS 26.4, and iPadOS 26.4. Apple also patched tvOS, watchOS, visionOS, and Safari. HKCERT lists at least 21 CVEs spanning denial of service, privilege escalation, remote code execution, and information disclosure.
CVE-2026-28891 (CVSS 8.1) is a sandbox escape via race condition in macOS. An app can break out of its sandbox. Apple fixed it in macOS Sequoia 15.7.5, Sonoma 14.8.5, and Tahoe 26.4. CVE-2026-28817 (CVSS 8.1) is a second race condition in macOS, addressed with improved state management.
CVE-2026-28875 (CVSS 7.5) is a buffer overflow in iOS 26.4 and iPadOS 26.4. Tuan D. Hoang and Yongdae Kim at KAIST SysSec Lab reported it. A remote attacker can trigger denial of service. CVE-2026-28894 (CVSS 7.5) is a separate DoS flaw addressed with improved input validation.
CVE-2026-28877 bypasses Stolen Device Protection on iPhones. An attacker with physical access can reach biometrics-gated Protected Apps using only the device passcode. Researchers at Nosebeard Labs reported the flaw.
Apple's advisory does not flag any of the 21 CVEs as exploited in the wild.
Cisco semiannual IOS/IOS XE bundle
Cisco released its March 2026 semiannual bundle on March 25. Three of the five CVEs in the day's pipeline are unauthenticated, remotely exploitable denial-of-service flaws targeting network infrastructure.
CVE-2026-20086 (CVSS 8.6) causes device reload on Catalyst CW9800 wireless controllers via a malformed CAPWAP packet. No workarounds exist. CVE-2026-20084 (CVSS 8.6) hits DHCP snooping on Catalyst 9000 switches, forwarding BOOTP packets between VLANs and driving CPU utilisation to the point of device unreachability.
CVE-2026-20012 (CVSS 8.6) triggers a memory leak in IKEv2 across Cisco IOS, IOS XE, ASA, and FTD. Crafted IKEv2 packets from an unauthenticated remote attacker exhaust device memory. CVE-2026-20125 (CVSS 7.7) crashes the HTTP Server in IOS and IOS XE Release 3E via malformed requests, but requires a valid user account.
The bundle also covers SCP DoS, IOx XSS, IOx CRLF injection, and a maintenance-mode denial of service. Enterprise teams should review the full publication, not just the five CVEs highlighted here.
npm command injection
Two npm packages scored CVSS 9.8 for command injection. CVE-2026-26832 affects all versions of node-tesseract-ocr, a Node.js wrapper for Tesseract OCR. CVE-2026-26830 affects pdf-image before version 2.0.0. Both pass user-controlled file paths to shell execution without sanitisation.
A filename containing shell metacharacters (backticks, $(), semicolons) becomes arbitrary OS command execution in Node.js. Any web application that accepts file uploads and routes them through either package for OCR or PDF conversion is vulnerable.
Also notable
CVE-2025-32991 (CVSS 9.0) is RCE in N2WS Backup & Recovery before 4.4.0. N2WS backs up AWS and Azure environments. RCE in a backup tool means potential access to restore credentials and the recovery infrastructure itself. CVE-2026-2995 (CVSS 7.7) hits GitLab EE from version 15.4 through 18.10.1.
March 25 is a vendor coordination day. Apple and Cisco both released scheduled multi-product updates that enterprise patch management teams plan quarterly cycles around. The Apple update covers every platform in active support. The Cisco bundle covers the IOS and IOS XE stack that runs campus, branch, and WAN infrastructure. The npm command injection pair targets a different audience entirely. Any Node.js project that processes user-uploaded files through node-tesseract-ocr or pdf-image needs an immediate audit. The fix is to usespawnwith argument arrays instead ofexecwith string concatenation.
| Product | Action | Status |
|---|---|---|
| Apple macOS / iOS / iPadOS (21 CVEs) | Update all Apple devices to latest versions | Patched |
| Cisco IOS XE CW9800 (CVE-2026-20086) | Apply bundle patch, no workaround | CVSS 8.6, unauth DoS |
| Cisco Catalyst 9000 DHCP (CVE-2026-20084) | Apply bundle patch | CVSS 8.6, BOOTP VLAN leak |
| Cisco IKEv2 (CVE-2026-20012) | Apply bundle patch | CVSS 8.6, memory leak |
| node-tesseract-ocr (CVE-2026-26832) | Audit projects, switch to spawn() | CVSS 9.8, all versions |
| pdf-image (CVE-2026-26830) | Update to 2.0.0+ | CVSS 9.8, command injection |
| N2WS Backup (CVE-2025-32991) | Update to 4.4.0+ | CVSS 9.0, RCE in AWS/Azure backup |
Update all Apple devices. Review the full Cisco March 2026 IOS/IOS XE bundle and prioritise the three unauthenticated DoS advisories (CAPWAP, DHCP snooping, IKEv2). Audit Node.js projects for node-tesseract-ocr and pdf-image dependencies. This digest follows the March 24 digest covering Firefox 149, Chrome 146, and Langflow RCEs.
Have a story? Become a contributor.
We work with independent researchers and cybersecurity professionals. Send us a tip or submit your article for editorial review.
