Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
5DescriptionCVE.org
This issue was addressed with improved access restrictions. This issue is fixed in iOS 18.7.9 and iPadOS 18.7.9, iOS 26.5 and iPadOS 26.5, macOS Tahoe 26.5, visionOS 26.5. Processing maliciously crafted web content may disclose sensitive user information.
AnalysisAI
Information disclosure in Apple WebKit allows remote attackers to extract sensitive user data by serving maliciously crafted web content to Safari or in-app browsers across iOS, iPadOS, macOS, and visionOS. Fixed in iOS/iPadOS 18.7.9, iOS/iPadOS 26.5, macOS Tahoe 26.5, and visionOS 26.5. Despite high CVSS 7.5, EPSS score of 0.02% (5th percentile) indicates minimal observed exploitation attempts in the wild. No CISA KEV listing and no public exploit code identified at time of analysis. Apple characterizes this as an access restriction flaw (CWE-200), suggesting the vulnerability bypasses same-origin policy or other browser security boundaries to leak data cross-domain.
Technical ContextAI
This is a WebKit browser engine vulnerability affecting Apple's rendering engine used across all its operating systems. CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor) indicates inadequate access controls allowed web content to bypass isolation boundaries. WebKit implements critical security boundaries including same-origin policy, site isolation, and content security policies. The CVSS vector's Confidentiality impact of 'None' contradicts the description mentioning sensitive information disclosure-this discrepancy likely stems from initial scoring error, as information disclosure vulnerabilities typically have C:H (high confidentiality impact). The vulnerability resides in web content processing logic where crafted HTML, JavaScript, CSS, or embedded resources could trigger unauthorized data access. Affected CPE strings confirm impact across cpe:2.3:a:apple:ios_and_ipados, cpe:2.3:a:apple:macos, and cpe:2.3:a:apple:visionos, specifically WebKit components integrated into Safari and WKWebView frameworks used by third-party applications.
RemediationAI
Update immediately to vendor-released patched versions: iOS/iPadOS 18.7.9 for devices on the 18.x branch, iOS/iPadOS 26.5 for newer devices, macOS Tahoe 26.5, and visionOS 26.5. Patches available through standard Apple Software Update mechanisms (Settings > General > Software Update on iOS/iPadOS, System Settings > General > Software Update on macOS). Apple characterizes the fix as 'improved access restrictions' suggesting enhanced isolation between web content contexts. Organizations unable to patch immediately should implement compensating controls: disable JavaScript in Safari (Settings > Safari > Advanced > JavaScript off) which breaks most website functionality but prevents script-based exploitation, restrict web browsing to trusted domains only via mobile device management profiles or network filtering, or deploy web isolation technologies that render untrusted content in remote sandboxed environments. JavaScript disabling significantly impacts usability and should only be temporary. No evidence suggests private browsing mode or content blockers mitigate this specific WebKit engine flaw.
Same weakness CWE-200 – Information Exposure
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-29266
GHSA-qj7c-h383-wq37