Skip to main content

Apple iOS, iPadOS, macOS, tvOS, visionOS, watchOS EUVDEUVD-2026-29241

| CVE-2026-28920 MEDIUM
Information Exposure (CWE-200)
2026-05-11 apple GHSA-hcrq-r2rc-m54f
6.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
6.5 MEDIUM
AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

5
Analysis Generated
May 13, 2026 - 15:59 vuln.today
CVSS changed
May 13, 2026 - 15:52 NVD
6.5 (MEDIUM)
Patch available
May 11, 2026 - 22:03 EUVD
CVE Published
May 11, 2026 - 20:08 nvd
UNKNOWN (no severity yet)
CVE Published
May 11, 2026 - 20:08 nvd
MEDIUM 6.5

DescriptionCVE.org

An information leakage was addressed with additional validation. This issue is fixed in iOS 18.7.9 and iPadOS 18.7.9, iOS 26.5 and iPadOS 26.5, macOS Sequoia 15.7.7, macOS Sonoma 14.8.7, macOS Tahoe 26.5, tvOS 26.5, visionOS 26.5, watchOS 26.5. Visiting a maliciously crafted website may leak sensitive data.

AnalysisAI

Information leakage in Apple operating systems allows remote attackers to extract sensitive data by crafting and hosting malicious websites that users visit. The vulnerability affects iOS 18.7.8 and earlier, iPadOS 18.7.8 and earlier, macOS Sequoia 15.7.6 and earlier, macOS Sonoma 14.8.6 and earlier, macOS Tahoe 26.4 and earlier, tvOS 26.4 and earlier, visionOS 26.4 and earlier, and watchOS 26.4 and earlier. Exploitation requires user interaction (UI:R) to visit a malicious website but does not require authentication, with an EPSS score of 0.03 percent indicating low real-world exploitation probability despite the information disclosure impact.

Technical ContextAI

This is a CWE-200 information disclosure vulnerability in Apple's cross-platform operating system suite. The underlying issue stems from insufficient input validation in web handling or data processing mechanisms that allow specially crafted web content to leak sensitive data to an attacker. The vulnerability is triggered through the browser or webkit rendering engine when processing maliciously constructed HTML, JavaScript, or related web content. The CPE data confirms the vulnerability affects all major Apple platforms: iOS/iPadOS, macOS (multiple versions including Sequoia, Sonoma, and Tahoe), tvOS, visionOS, and watchOS. The information leakage occurs without modifying or denying availability of affected systems, indicating a confidentiality-only impact.

RemediationAI

Vendor-released patches are available for all affected Apple platforms. Update to iOS 18.7.9, iPadOS 18.7.9 or 26.5, macOS Sequoia 15.7.7, macOS Sonoma 14.8.7, macOS Tahoe 26.5, tvOS 26.5, visionOS 26.5, and watchOS 26.5. Organizations should prioritize updates on devices with users regularly exposed to untrusted web content. Until patches are deployed, user education is the primary compensating control: instruct users to avoid clicking on suspicious links from untrusted sources and to be cautious when visiting unfamiliar websites, particularly those from phishing campaigns or social engineering attempts. Implement web content filtering and URL reputation services to block known-malicious domains, though this does not protect against zero-day malicious sites. Consider restricting or monitoring web browsing on devices containing highly sensitive data. Patch deployment can be staged by platform and device type given the low EPSS score; critical systems should be prioritized, while less-critical devices can follow standard update schedules. Detailed patch instructions and downloads are available at https://support.apple.com/en-us/127110 through https://support.apple.com/en-us/127120.

Share

EUVD-2026-29241 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy