CISA Adds Apple, Craft CMS, Laravel Bugs to KEV Catalog

CISA added five vulnerabilities to its Known Exploited Vulnerabilities catalog on March 20, 2026, confirming active exploitation in the wild. Federal agencies face an April 3 remediation deadline, but private organizations should treat these as equally urgent.

The additions include three Apple kernel vulnerabilities, a Craft CMS code injection flaw, and an unauthenticated RCE in Laravel Livewire. The diversity of affected platforms—from mobile devices to web frameworks—means most organizations likely have at least one of these in their environment.

The Five Vulnerabilities

CVE	Product	Vulnerability Type
CVE-2025-31277	Apple Multiple Products	Buffer Overflow (WebKit)
CVE-2025-32432	Craft CMS	Code Injection
CVE-2025-43510	Apple Multiple Products	Improper Locking
CVE-2025-43520	Apple Multiple Products	Classic Buffer Overflow
CVE-2025-54068	Laravel Livewire	Code Injection

Apple Vulnerabilities

Three of the five additions target Apple's kernel and WebKit components, affecting iOS, iPadOS, macOS, and other Apple platforms.

CVE-2025-31277 is a WebKit buffer overflow that can result in memory corruption when processing malicious web content. WebKit vulnerabilities are particularly concerning because exploitation requires only visiting a crafted webpage—no user interaction beyond navigation.

CVE-2025-43510 and CVE-2025-43520 are kernel-level flaws. The improper locking vulnerability (CVE-2025-43510) could allow malicious applications to cause system termination, while the buffer overflow (CVE-2025-43520) enables memory corruption that could lead to code execution.

Apple patched these in recent security updates. Users running older iOS or macOS versions should update immediately—the exploitation timeline predates the KEV addition, meaning attackers have already operationalized these flaws.

For context on the ongoing threat landscape targeting Apple devices, we recently covered the DarkSword iOS exploit chain being used in infostealer campaigns.

Craft CMS Code Injection

CVE-2025-32432 affects Craft CMS, a popular content management system used by marketing teams and agencies. The code injection vulnerability allows attackers to execute arbitrary code on vulnerable installations.

Craft CMS deployments often run on shared hosting or PaaS environments where patch management may lag behind self-managed infrastructure. Organizations using Craft should verify their version and apply available updates.

Laravel Livewire RCE

CVE-2025-54068 is an unauthenticated remote command execution vulnerability in Laravel Livewire, a full-stack framework for Laravel. The flaw allows attackers to execute commands without any authentication requirements.

Laravel powers millions of web applications, and Livewire's popularity as a reactive UI framework means this vulnerability has broad exposure. The unauthenticated nature makes it particularly dangerous for internet-facing applications.

Web application vulnerabilities in popular frameworks continue to be actively targeted—we saw similar patterns with the SharePoint deserialization RCE added to KEV earlier this week.

What Federal Agencies Must Do

Under BOD 22-01, Federal Civilian Executive Branch agencies must remediate these vulnerabilities by April 3, 2026. The short timeline reflects the confirmed active exploitation status.

Recommendations for Private Organizations

While BOD 22-01 only binds federal agencies, CISA strongly encourages all organizations to prioritize these patches. The KEV catalog represents a curated list of vulnerabilities confirmed to be exploited in real attacks—not theoretical risks.

Prioritize by exposure:

1. Internet-facing Laravel/Livewire applications - highest risk for immediate compromise
2. Craft CMS installations - check version and patch status
3. Apple devices - ensure automatic updates are enabled; manually verify for managed device fleets
4. Web applications serving Apple users - WebKit flaws can be triggered by visiting malicious sites

For organizations with vulnerability management programs, KEV additions should trigger immediate triage regardless of CVSS scores. Active exploitation means someone is already using these flaws—the only question is whether you're on their target list.

Why This Matters

The KEV catalog has become an essential prioritization tool for security teams overwhelmed by vulnerability volume. With tens of thousands of CVEs published annually, knowing which ones are actually being exploited cuts through the noise.

This batch of additions also demonstrates the breadth of exploitation activity. Attackers aren't limiting themselves to one platform or technology stack—they're opportunistically exploiting whatever provides access. A vulnerability management program that only focuses on one vendor or technology leaves gaps that adversaries will find.

For deeper guidance on vulnerability prioritization, see our resources on online safety fundamentals and monitor the CISA KEV catalog directly for new additions.