CISA Adds Critical Vulnerabilities in Apple Products, Laravel Livewire, and Craft CMS to Known Exploited Catalog

The Cybersecurity and Infrastructure Security Agency (CISA) added three new vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog on March 22, 2026. The update includes a critical kernel flaw in Apple devices, a remote code execution vulnerability in Craft CMS, and a security bypass in the Laravel Livewire framework. Under Binding Operational Directive (BOD) 22-01, Federal Civilian Executive Branch (FCEB) agencies are required to remediate these flaws by April 12, 2026, to mitigate the risk of unauthorized access and data exfiltration.

The Apple vulnerability, identified as CVE-2026-27901, is a memory corruption issue within the kernel. According to technical documentation, the flaw allows an application to execute arbitrary code with kernel-level privileges. Apple confirmed in its security advisory that the vulnerability affects iOS 19.3.1 and earlier, iPadOS 19.3.1 and earlier, and macOS 16.2 and earlier. The company released patches today for these operating systems, noting that it is aware of reports that this issue may have been actively exploited against versions of iOS released before January 2026. The vulnerability affects a significant portion of Apple’s 2.2 billion active devices by bypassing standard application sandboxing.

CISA also highlighted CVE-2026-28105, a vulnerability affecting Laravel Livewire, a popular full-stack framework for the Laravel PHP ecosystem used by hundreds of thousands of developers. The flaw involves an insecure file upload mechanism in versions 3.0.0 through 3.5.12. Attackers can exploit this vulnerability to upload malicious scripts to a web server, potentially leading to full system compromise. Maintainers of the project released version 3.6.0 to address the issue, which implements stricter validation for temporary file uploads and sanitizes metadata associated with incoming requests. The vulnerability was discovered following a series of unauthorized access incidents involving web applications built on the framework.

The third addition is CVE-2026-28212, a critical remote code execution (RCE) vulnerability in Craft CMS versions 4.12.0 and 5.1.0. The flaw resides in the content management system’s image processing library, where insufficient input validation allows for the execution of unauthorized commands. Craft CMS developers issued an emergency patch, version 5.1.1 and 4.12.1, stating that the vulnerability had been observed in targeted attacks against media and financial services organizations. The exploit allows an unauthenticated user to gain administrative control over the CMS installation by sending a specially crafted request to the image transformation endpoint.

CISA’s KEV catalog serves as a critical resource for organizations to prioritize vulnerability management based on evidence of active exploitation. While BOD 22-01 specifically mandates federal agencies to act, CISA strongly urges private sector organizations to review their exposure to these specific CVEs. The agency noted that these types of vulnerabilities are frequent targets for advanced persistent threat (APT) actors seeking initial access to enterprise networks. The addition of these three flaws brings the total number of vulnerabilities in the KEV catalog to over 1,200 entries, reflecting an ongoing trend of attackers targeting widely used development frameworks and consumer hardware.