Severity by source
AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
Lifecycle Timeline
5DescriptionCVE.org
An information leakage was addressed with additional validation. This issue is fixed in iOS 18.7.9 and iPadOS 18.7.9, iOS 26.5 and iPadOS 26.5, macOS Sequoia 15.7.7, macOS Sonoma 14.8.7, macOS Tahoe 26.5, tvOS 26.5, visionOS 26.5, watchOS 26.5. Visiting a maliciously crafted website may leak sensitive data.
AnalysisAI
Information leakage in Apple operating systems allows remote attackers to extract sensitive data by crafting and hosting malicious websites that users visit. The vulnerability affects iOS 18.7.8 and earlier, iPadOS 18.7.8 and earlier, macOS Sequoia 15.7.6 and earlier, macOS Sonoma 14.8.6 and earlier, macOS Tahoe 26.4 and earlier, tvOS 26.4 and earlier, visionOS 26.4 and earlier, and watchOS 26.4 and earlier. Exploitation requires user interaction (UI:R) to visit a malicious website but does not require authentication, with an EPSS score of 0.03 percent indicating low real-world exploitation probability despite the information disclosure impact.
Technical ContextAI
This is a CWE-200 information disclosure vulnerability in Apple's cross-platform operating system suite. The underlying issue stems from insufficient input validation in web handling or data processing mechanisms that allow specially crafted web content to leak sensitive data to an attacker. The vulnerability is triggered through the browser or webkit rendering engine when processing maliciously constructed HTML, JavaScript, or related web content. The CPE data confirms the vulnerability affects all major Apple platforms: iOS/iPadOS, macOS (multiple versions including Sequoia, Sonoma, and Tahoe), tvOS, visionOS, and watchOS. The information leakage occurs without modifying or denying availability of affected systems, indicating a confidentiality-only impact.
RemediationAI
Vendor-released patches are available for all affected Apple platforms. Update to iOS 18.7.9, iPadOS 18.7.9 or 26.5, macOS Sequoia 15.7.7, macOS Sonoma 14.8.7, macOS Tahoe 26.5, tvOS 26.5, visionOS 26.5, and watchOS 26.5. Organizations should prioritize updates on devices with users regularly exposed to untrusted web content. Until patches are deployed, user education is the primary compensating control: instruct users to avoid clicking on suspicious links from untrusted sources and to be cautious when visiting unfamiliar websites, particularly those from phishing campaigns or social engineering attempts. Implement web content filtering and URL reputation services to block known-malicious domains, though this does not protect against zero-day malicious sites. Consider restricting or monitoring web browsing on devices containing highly sensitive data. Patch deployment can be staged by platform and device type given the low EPSS score; critical systems should be prioritized, while less-critical devices can follow standard update schedules. Detailed patch instructions and downloads are available at https://support.apple.com/en-us/127110 through https://support.apple.com/en-us/127120.
Same weakness CWE-200 – Information Exposure
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-29241
GHSA-hcrq-r2rc-m54f