Skip to main content

WebKit EUVDEUVD-2026-29266

| CVE-2026-28962 HIGH
Information Exposure (CWE-200)
2026-05-11 apple GHSA-qj7c-h383-wq37
7.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

5
Analysis Generated
May 12, 2026 - 14:27 vuln.today
CVSS changed
May 12, 2026 - 14:22 NVD
7.5 (HIGH)
Patch available
May 11, 2026 - 22:18 EUVD
CVE Published
May 11, 2026 - 20:07 nvd
UNKNOWN (no severity yet)
CVE Published
May 11, 2026 - 20:07 nvd
HIGH 7.5

DescriptionCVE.org

This issue was addressed with improved access restrictions. This issue is fixed in iOS 18.7.9 and iPadOS 18.7.9, iOS 26.5 and iPadOS 26.5, macOS Tahoe 26.5, visionOS 26.5. Processing maliciously crafted web content may disclose sensitive user information.

AnalysisAI

Information disclosure in Apple WebKit allows remote attackers to extract sensitive user data by serving maliciously crafted web content to Safari or in-app browsers across iOS, iPadOS, macOS, and visionOS. Fixed in iOS/iPadOS 18.7.9, iOS/iPadOS 26.5, macOS Tahoe 26.5, and visionOS 26.5. Despite high CVSS 7.5, EPSS score of 0.02% (5th percentile) indicates minimal observed exploitation attempts in the wild. No CISA KEV listing and no public exploit code identified at time of analysis. Apple characterizes this as an access restriction flaw (CWE-200), suggesting the vulnerability bypasses same-origin policy or other browser security boundaries to leak data cross-domain.

Technical ContextAI

This is a WebKit browser engine vulnerability affecting Apple's rendering engine used across all its operating systems. CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor) indicates inadequate access controls allowed web content to bypass isolation boundaries. WebKit implements critical security boundaries including same-origin policy, site isolation, and content security policies. The CVSS vector's Confidentiality impact of 'None' contradicts the description mentioning sensitive information disclosure-this discrepancy likely stems from initial scoring error, as information disclosure vulnerabilities typically have C:H (high confidentiality impact). The vulnerability resides in web content processing logic where crafted HTML, JavaScript, CSS, or embedded resources could trigger unauthorized data access. Affected CPE strings confirm impact across cpe:2.3:a:apple:ios_and_ipados, cpe:2.3:a:apple:macos, and cpe:2.3:a:apple:visionos, specifically WebKit components integrated into Safari and WKWebView frameworks used by third-party applications.

RemediationAI

Update immediately to vendor-released patched versions: iOS/iPadOS 18.7.9 for devices on the 18.x branch, iOS/iPadOS 26.5 for newer devices, macOS Tahoe 26.5, and visionOS 26.5. Patches available through standard Apple Software Update mechanisms (Settings > General > Software Update on iOS/iPadOS, System Settings > General > Software Update on macOS). Apple characterizes the fix as 'improved access restrictions' suggesting enhanced isolation between web content contexts. Organizations unable to patch immediately should implement compensating controls: disable JavaScript in Safari (Settings > Safari > Advanced > JavaScript off) which breaks most website functionality but prevents script-based exploitation, restrict web browsing to trusted domains only via mobile device management profiles or network filtering, or deploy web isolation technologies that render untrusted content in remote sandboxed environments. JavaScript disabling significantly impacts usability and should only be temporary. No evidence suggests private browsing mode or content blockers mitigate this specific WebKit engine flaw.

Share

EUVD-2026-29266 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy