Skip to main content

WebKit CVE-2026-43660

| EUVDEUVD-2026-29305 HIGH
Protection Mechanism Failure (CWE-693)
2026-05-11 apple GHSA-xcxj-2mhj-x95h
7.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
SUSE
HIGH
qualitative
Red Hat
6.5 MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

5
Analysis Generated
May 12, 2026 - 14:30 vuln.today
CVSS changed
May 12, 2026 - 14:22 NVD
7.5 (HIGH)
Patch available
May 11, 2026 - 22:18 EUVD
CVE Published
May 11, 2026 - 20:07 nvd
UNKNOWN (no severity yet)
CVE Published
May 11, 2026 - 20:07 nvd
HIGH 7.5

DescriptionCVE.org

A validation issue was addressed with improved logic. This issue is fixed in iOS 18.7.9 and iPadOS 18.7.9, iOS 26.5 and iPadOS 26.5, macOS Tahoe 26.5, tvOS 26.5, visionOS 26.5, watchOS 26.5. Processing maliciously crafted web content may prevent Content Security Policy from being enforced.

AnalysisAI

Content Security Policy bypass in Apple WebKit allows remote attackers to access sensitive information via maliciously crafted web content. Affects all major Apple platforms (iOS/iPadOS, macOS, tvOS, visionOS, watchOS) prior to their respective 26.5 releases (iOS/iPadOS also fixed in 18.7.9). Vendor-released patches available across all platforms. EPSS score of 0.03% (10th percentile) indicates low observed exploitation probability despite network-accessible attack vector requiring no authentication or user interaction. No public exploit code or CISA KEV listing identified at time of analysis.

Technical ContextAI

This vulnerability affects WebKit, Apple's browser engine powering Safari and web views across all Apple platforms. The flaw involves CWE-693 (Protection Mechanism Failure), specifically a validation weakness in WebKit's Content Security Policy (CSP) enforcement logic. CSP is a critical browser security mechanism that restricts which resources a webpage can load, preventing cross-site scripting and data injection attacks. The validation issue allows attackers to craft web content that bypasses CSP restrictions, undermining a fundamental web security control. CPE data confirms impact across Apple's entire ecosystem: iOS/iPadOS (mobile devices and tablets), macOS (desktop/laptop), tvOS (Apple TV), visionOS (Vision Pro headset), and watchOS (Apple Watch).

RemediationAI

Apply vendor-released patches immediately: upgrade iOS and iPadOS devices to version 18.7.9 or 26.5 (depending on device compatibility), macOS systems to Tahoe 26.5, Apple TV devices to tvOS 26.5, Vision Pro headsets to visionOS 26.5, and Apple Watch devices to watchOS 26.5. Updates available through standard Apple software update mechanisms (Settings > General > Software Update on iOS/iPadOS, System Settings > General > Software Update on macOS). Organizations managing Apple devices via MDM should deploy these updates through established patch management workflows. No workaround mitigates the CSP bypass without patching; however, defense-in-depth strategies reduce risk: implement server-side input validation and output encoding independent of CSP, deploy Web Application Firewalls to detect and block malicious payloads, restrict user access to untrusted websites via DNS filtering or proxy controls, and monitor web traffic for anomalous data exfiltration patterns. These compensating controls add detection/prevention layers but do not eliminate the vulnerability. Detailed security content descriptions available in Apple security advisories HT127110-HT127120.

Vendor StatusVendor

SUSE

Severity: High
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed
SUSE Linux Enterprise Module for Basesystem 15 SP7 Fixed
SUSE Linux Enterprise Module for Desktop Applications 15 SP7 Fixed
SUSE Linux Enterprise Module for Development Tools 15 SP7 Fixed

Share

CVE-2026-43660 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy