Description
A script imports issue was addressed with improved isolation. This issue is fixed in Safari 18.4, iOS 18.4 and iPadOS 18.4, macOS Sequoia 15.4, visionOS 2.4. Visiting a website may leak sensitive data.
Published: 2025-03-31
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Information Disclosure
Action: Patch Immediately
AI Analysis

Impact

A vulnerability in Safari, iOS, iPadOS, macOS, and visionOS allows a malicious website to exploit the script import handling mechanism and bypass isolation controls, enabling the page to read data that should be protected. The flaw can lead to the leakage of sensitive information when a user simply visits the site. The weakness arises from inadequate isolation of imported scripts, which is reflected by information‑disclosure weaknesses.

Affected Systems

Apple's Safari browser, iOS, iPadOS, macOS, and visionOS are affected. In particular, any release before Safari 18.4, iOS 18.4, iPadOS 18.4, macOS Sequoia 15.4, or visionOS 2.4 can be exploited; these versions should be updated to the listed releases or later.

Risk and Exploitability

The CVSS score of 6.5 conveys a medium‑severity risk. With an EPSS below 1 % the likelihood of current exploitation is very low, and the flaw is not listed in CISA’s KEV catalog. The attack vector is remote; a user must simply visit a malicious site that triggers the vulnerable script import, and the attacker can read otherwise protected data, which constitutes an information‑disclosure scenario.

Generated by OpenCVE AI on April 28, 2026 at 18:57 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest Apple security updates: Safari 18.4, iOS 18.4, iPadOS 18.4, macOS Sequoia 15.4, visionOS 2.4 or later.
  • Deploy an enterprise configuration or MDM setting that restricts third‑party script imports to reduce exposure while the patch is applied.
  • Monitor devices for anomalous script activity or reported data leakage and investigate any suspicious traffic promptly.

Generated by OpenCVE AI on April 28, 2026 at 18:57 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-9002 A script imports issue was addressed with improved isolation. This issue is fixed in Safari 18.4, visionOS 2.4, iOS 18.4 and iPadOS 18.4, macOS Sequoia 15.4. Visiting a website may leak sensitive data.
History

Tue, 28 Apr 2026 19:15:00 +0000

Type Values Removed Values Added
Title Browser Script Import Vulnerability Causing Information Disclosure
Weaknesses CWE-200
CWE-603

Thu, 02 Apr 2026 20:30:00 +0000

Type Values Removed Values Added
Description A script imports issue was addressed with improved isolation. This issue is fixed in Safari 18.4, visionOS 2.4, iOS 18.4 and iPadOS 18.4, macOS Sequoia 15.4. Visiting a website may leak sensitive data. A script imports issue was addressed with improved isolation. This issue is fixed in Safari 18.4, iOS 18.4 and iPadOS 18.4, macOS Sequoia 15.4, visionOS 2.4. Visiting a website may leak sensitive data.

Mon, 03 Nov 2025 21:30:00 +0000

Type Values Removed Values Added
References

Mon, 07 Apr 2025 14:45:00 +0000

Type Values Removed Values Added
First Time appeared Apple
Apple ipados
Apple iphone Os
Apple macos
Apple safari
Apple visionos
Weaknesses NVD-CWE-noinfo
CPEs cpe:2.3:a:apple:safari:*:*:*:*:*:*:*:*
cpe:2.3:o:apple:ipados:*:*:*:*:*:*:*:*
cpe:2.3:o:apple:iphone_os:*:*:*:*:*:*:*:*
cpe:2.3:o:apple:macos:*:*:*:*:*:*:*:*
cpe:2.3:o:apple:visionos:*:*:*:*:*:*:*:*
Vendors & Products Apple
Apple ipados
Apple iphone Os
Apple macos
Apple safari
Apple visionos

Tue, 01 Apr 2025 15:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 31 Mar 2025 22:45:00 +0000

Type Values Removed Values Added
Description A script imports issue was addressed with improved isolation. This issue is fixed in Safari 18.4, visionOS 2.4, iOS 18.4 and iPadOS 18.4, macOS Sequoia 15.4. Visiting a website may leak sensitive data.
References

Subscriptions

Apple Ipados Iphone Os Macos Safari Visionos
cve-icon MITRE

Status: PUBLISHED

Assigner: apple

Published:

Updated: 2026-04-02T18:25:51.636Z

Reserved: 2025-01-17T00:00:44.997Z

Link: CVE-2025-24192

cve-icon Vulnrichment

Updated: 2025-11-03T21:07:05.375Z

cve-icon NVD

Status : Modified

Published: 2025-03-31T23:15:17.567

Modified: 2026-04-02T19:19:16.147

Link: CVE-2025-24192

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-28T19:00:20Z

Weaknesses