Skip to main content

Apple EUVDEUVD-2026-15149

| CVE-2026-28871 MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2026-03-25 apple GHSA-m46v-chmw-rw9m
4.3
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
4.3 MEDIUM
AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N
SUSE
MEDIUM
qualitative
Red Hat
4.3 MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
None

Lifecycle Timeline

4
Patch available
Apr 16, 2026 - 05:29 EUVD
18.7.7,26.4
EUVD ID Assigned
Mar 25, 2026 - 01:00 euvd
EUVD-2026-15149
Analysis Generated
Mar 25, 2026 - 01:00 vuln.today
CVE Published
Mar 25, 2026 - 00:31 nvd
MEDIUM 4.3

DescriptionCVE.org

A logic issue was addressed with improved checks. This issue is fixed in Safari 26.4, iOS 18.7.7 and iPadOS 18.7.7, iOS 26.4 and iPadOS 26.4, macOS Tahoe 26.4. Visiting a maliciously crafted website may lead to a cross-site scripting attack.

AnalysisAI

A cross-site scripting (XSS) vulnerability exists in Apple's Safari browser and iOS/iPadOS operating systems due to insufficient input validation in website content handling. An attacker can craft a malicious website that, when visited by a user, executes arbitrary JavaScript in the context of the victim's browser, potentially stealing credentials, session tokens, or performing actions on behalf of the user. Apple has released patches across Safari 26.4, iOS 18.7.7, iPadOS 18.7.7, iOS 26.4, iPadOS 26.4, and macOS Tahoe 26.4 to address this logic flaw, though no CVSS score, EPSS data, or KEV status has been publicly disclosed, suggesting this may be a proactive disclosure rather than an actively exploited vulnerability.

Technical ContextAI

The vulnerability is rooted in a logic issue within Safari's content security and input sanitization mechanisms, affecting the rendering engine used across Apple's ecosystem. Safari (cpe:2.3:a:apple:safari:*:*:*:*:*:*:*:*), iOS and iPadOS (cpe:2.3:a:apple:ios_and_ipados:*:*:*:*:*:*:*:*), and macOS (cpe:2.3:a:apple:macos:*:*:*:*:*:*:*:*) all share WebKit rendering technology, making them collectively vulnerable. While no specific CWE classification is provided in the advisory, the XSS attack vector indicates a weakness in output encoding or filter bypass logic—typically CWE-79 (Improper Neutralization of Input During Web Page Generation). The flaw allows maliciously crafted HTML or JavaScript to bypass Safari's existing XSS protections, suggesting a logic gap rather than a complete absence of controls.

RemediationAI

Immediately update Safari to version 26.4 or later, iOS to version 18.7.7 or 26.4 or later, iPadOS to version 18.7.7 or 26.4 or later, and macOS to Tahoe 26.4 or later via Apple's Software Update mechanism. For users unable to patch immediately, disable JavaScript execution in Safari preferences as a temporary mitigation, though this will degrade website functionality. Additionally, users should avoid visiting untrusted or suspicious websites pending patch deployment. Enterprise administrators should leverage Mobile Device Management (MDM) to enforce automatic updates across iOS and iPadOS devices. Refer to the official Apple security advisories at https://support.apple.com/en-us/126792 through 126800 for detailed patch availability and deployment timelines.

Vendor StatusVendor

SUSE

Severity: Medium
Product Status
SUSE Linux Enterprise Desktop 15 SP7 SUSE Linux Enterprise High Performance Computing 15 SP7 SUSE Linux Enterprise Server 15 SP7 SUSE Linux Enterprise Server for SAP Applications 15 SP7 Fixed
SUSE Linux Enterprise Module for Basesystem 15 SP7 Fixed
SUSE Linux Enterprise Module for Desktop Applications 15 SP7 Fixed
SUSE Linux Enterprise Module for Development Tools 15 SP7 Fixed
SUSE Linux Enterprise Server 15 SP6-LTSS Fixed

Share

EUVD-2026-15149 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy