CVE-2024-40866 - Vulnerability Details

The issue was addressed with improved UI. This issue is fixed in Safari 18, macOS Sequoia 15. Visiting a malicious website may lead to address bar spoofing.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact High

Availability Impact None

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00079.

Exploitation none

Automatable no

Technical Impact partial

Vendors	Products
Apple	Macos Safari
Redhat	Enterprise Linux Rhel Els

Configuration 1 [-]

OR	cpe:2.3:a:apple:safari::::::::
	cpe:2.3:o:apple:macos::::::::

Package	CPE	Advisory	Released Date
Red Hat Enterprise Linux 7 Extended Lifecycle Support
webkitgtk4-0:2.48.3-2.el7_9	cpe:/o:redhat:rhel_els:7	RHSA-2025:10364	2025-07-07T00:00:00Z
Red Hat Enterprise Linux 8
webkit2gtk3-0:2.46.3-1.el8_10	cpe:/a:redhat:enterprise_linux:8	RHSA-2024:9636	2024-11-14T00:00:00Z
Red Hat Enterprise Linux 9
webkit2gtk3-0:2.46.1-2.el9_4	cpe:/a:redhat:enterprise_linux:9	RHSA-2024:8180	2024-10-16T00:00:00Z
webkit2gtk3-0:2.46.3-1.el9_5	cpe:/a:redhat:enterprise_linux:9	RHSA-2024:9553	2024-11-13T00:00:00Z

No data.

Advisories

Source	ID	Title
Debian DLA	DLA-3961-1	webkit2gtk security update
Debian DSA	DSA-5792-1	webkit2gtk security update
Ubuntu USN	USN-7079-1	WebKitGTK vulnerabilities

Fixes

Solution

No solution given by the vendor.

Workaround

No workaround given by the vendor.

References

Link	Providers
http://seclists.org/fulldisclosure/2024/Sep/33
http://seclists.org/fulldisclosure/2024/Sep/37
https://lists.debian.org/debian-lts-announce/2024/11/msg00019.html
https://nvd.nist.gov/vuln/detail/CVE-2024-40866
https://support.apple.com/en-us/121238
https://support.apple.com/en-us/121241
https://webkitgtk.org/security/WSA-2024-0005.html
https://www.cve.org/CVERecord?id=CVE-2024-40866

History

Tue, 04 Nov 2025 17:30:00 +0000

Type	Values Removed	Values Added
References		http://seclists.org/fulldisclosure/2024/Sep/33 http://seclists.org/fulldisclosure/2024/Sep/37

Mon, 03 Nov 2025 22:30:00 +0000

Type	Values Removed	Values Added
References		https://lists.debian.org/debian-lts-announce/2024/11/msg00019.html

Wed, 16 Jul 2025 13:45:00 +0000

Type	Values Removed	Values Added
Metrics	epss `{'score': 0.00109}`	epss `{'score': 0.00112}`

Sun, 13 Jul 2025 13:45:00 +0000

Type	Values Removed	Values Added
Metrics	epss `{'score': 0.00093}`	epss `{'score': 0.00109}`

Mon, 07 Jul 2025 14:30:00 +0000

Type	Values Removed	Values Added
First Time appeared		Redhat rhel Els
CPEs		cpe:/o:redhat:rhel_els:7
Vendors & Products		Redhat rhel Els

Sat, 16 Nov 2024 02:45:00 +0000

Type	Values Removed	Values Added
CPEs		cpe:/a:redhat:enterprise_linux:8

Thu, 17 Oct 2024 02:30:00 +0000

Type	Values Removed	Values Added
First Time appeared		Redhat Redhat enterprise Linux
CPEs		cpe:/a:redhat:enterprise_linux:9
Vendors & Products		Redhat Redhat enterprise Linux

Thu, 26 Sep 2024 02:15:00 +0000

Type	Values Removed	Values Added
References		https://webkitgtk.org/security/WSA-2024-0005.html

Wed, 25 Sep 2024 19:45:00 +0000

Type	Values Removed	Values Added
Title		webkitgtk: Visiting a malicious website may lead to address bar spoofing
References		https://nvd.nist.gov/vuln/detail/CVE-2024-40866 https://www.cve.org/CVERecord?id=CVE-2024-40866
Metrics	threat_severity `None`	threat_severity `Moderate`

Tue, 24 Sep 2024 19:30:00 +0000

Type	Values Removed	Values Added
First Time appeared		Apple Apple macos Apple safari
Weaknesses		NVD-CWE-noinfo
CPEs		cpe:2.3:a:apple:safari:::::::: cpe:2.3:o:apple:macos::::::::
Vendors & Products		Apple Apple macos Apple safari
Metrics		cvssV3_1 `{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N'}`

Wed, 18 Sep 2024 18:30:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Mon, 16 Sep 2024 23:30:00 +0000

Type	Values Removed	Values Added
Description		The issue was addressed with improved UI. This issue is fixed in Safari 18, macOS Sequoia 15. Visiting a malicious website may lead to address bar spoofing.
References		https://support.apple.com/en-us/121238 https://support.apple.com/en-us/121241

MITRE

Status: PUBLISHED

Assigner: apple

Published: 2024-09-16T23:22:28.243Z

Updated: 2025-11-04T16:13:38.887Z

Reserved: 2024-07-10T17:11:04.716Z

Link: CVE-2024-40866

Vulnrichment

Updated: 2024-09-18T17:55:39.283Z

NVD

Status : Modified

Published: 2024-09-17T00:15:49.840

Modified: 2025-11-04T17:16:02.817

Link: CVE-2024-40866

Redhat

Severity : Moderate

Publid Date: 2024-09-17T00:15:49Z

Links: CVE-2024-40866 - Bugzilla

OpenCVE Enrichment

No data.

Metrics

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact High

Availability Impact None

User Interaction Required

Exploitation none

Automatable no

Technical Impact partial

Affected Vendors & Products

JSON object

JSON object

JSON object

JSON object

JSON object