Apple released emergency security updates to fix two zero-day vulnerabilities that were exploited in attacks on Intel-based Mac systems.

“Apple is aware of a report that this issue may have been exploited,” the company said in an advisory issued on Tuesday.

The two bugs were found in the macOS Sequoia JavaScriptCore (CVE-2024-44308) and WebKit (CVE-2024-44309) components of macOS.

The JavaScriptCore CVE-2024-44308 flaw allows attackers to achieve remote code execution through maliciously crafted web content. The other flaw, CVE-2024-44309, allows cross-site scripting (CSS) attacks.

The company says it addressed the security flaws in macOS Sequoia 15.1.1.

As the same components are found in other Apple operating systems, it was also fixed in iOS 17.7.2 and iPadOS 17.7.2, iOS 18.1.1 and iPadOS 18.1.1, and visionOS 2.1.1.

While Apple says both flaws were discovered by Clément Lecigne and Benoît Sevens of Google’s Threat Analysis Group, the company has not provided further details on how they were exploited.

BleepingComputer contacted Google to learn how the flaws were exploited but was told that they have nothing more to share at this time.

With these two vulnerabilities, Apple has fixed six zero-days so far in 2024, with the first in January, two in March, and the fourth in May.

This number is significantly better than last year when Apple fixed a total of 20 zero-day flaws exploited in the wild, including: