CVE-2025-31266 - Vulnerability Details

- Spoofing of Domain Name in Safari Pop-Up Window Title

Description

A spoofing issue was addressed with improved truncation when displaying the fully qualified domain name. This issue is fixed in Safari 18.5, macOS Sequoia 15.5. A website may be able to spoof the domain name in the title of a pop-up window.

Published: 2025-11-21

Score: 4.3 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The flaw allows a malicious website to display a forged fully‑qualified domain name in the title of a pop‑up window in Safari. The spoofed text can mislead users into believing they are interacting with a trusted domain, potentially facilitating phishing or social‑engineering attacks. This weakness is described by CWE‑451 and does not provide code execution or privilege escalation, but it can compromise user trust and confidentiality by revealing misleading domain information.

Affected Systems

Apple Safari versions earlier than 18.5 and macOS releases earlier than Sequoia 15.5 are susceptible. The vulnerability affects the standard Safari application bundled with macOS and is not limited to a specific model or build. Users of older macOS or Safari editions must be aware that their browsers may display spoofed domain names in pop‑up window titles.

Risk and Exploitability

The CVSS score of 4.3 indicates a low‑to‑moderate impact, and the EPSS score of less than 1% shows a very low probability of exploitation today. The vulnerability is not listed in the CISA KEV catalog. Attackers would need to trick users into visiting a malicious site that generates a spoofed pop‑up; no network‑based attack or remote code execution is required.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Apple

Safari

affected

Version	Status	Constraints
`0`	affected	< 18.5

Apple

macOS

affected

Version	Status	Constraints
`0`	affected	< 15.5

Configuration 1 [-]

OR	cpe:2.3:a:apple:safari::::::::
	cpe:2.3:o:apple:macos::::::::

No data.

Vendor	Product	Confidence	Versions
Apple	Macos	—	—
Apple	Safari	—	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Install Safari 18.5 or later to eliminate the spoofing flaw.
Upgrade macOS to Sequoia 15.5 or later, which includes the Safari update.
Restrict or disable pop‑up windows from untrusted sites in Safari to reduce the attack surface.

Generated by OpenCVE AI on April 27, 2026 at 22:47 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact Low

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00026.

Exploitation none

Automatable no

Technical Impact partial

References

Link	Providers
https://support.apple.com/en-us/122716
https://support.apple.com/en-us/122719

History

Mon, 27 Apr 2026 23:15:00 +0000

Type	Values Removed	Values Added
Title		Spoofing of Domain Name in Safari Pop-Up Window Title

Thu, 02 Apr 2026 20:30:00 +0000

Type	Values Removed	Values Added
Description	A spoofing issue was addressed with improved truncation when displaying the fully qualified domain name This issue is fixed in Safari 18.5, macOS Sequoia 15.5. A website may be able to spoof the domain name in the title of a pop-up window.	A spoofing issue was addressed with improved truncation when displaying the fully qualified domain name. This issue is fixed in Safari 18.5, macOS Sequoia 15.5. A website may be able to spoof the domain name in the title of a pop-up window.

Wed, 26 Nov 2025 14:45:00 +0000

Type	Values Removed	Values Added
CPEs		cpe:2.3:a:apple:safari:::::::: cpe:2.3:o:apple:macos::::::::

Mon, 24 Nov 2025 09:15:00 +0000

Type	Values Removed	Values Added
First Time appeared		Apple Apple macos Apple safari
Vendors & Products		Apple Apple macos Apple safari

Sun, 23 Nov 2025 12:15:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-451
Metrics		cvssV3_1 `{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L'}` ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Fri, 21 Nov 2025 21:30:00 +0000

Type	Values Removed	Values Added
Description		A spoofing issue was addressed with improved truncation when displaying the fully qualified domain name This issue is fixed in Safari 18.5, macOS Sequoia 15.5. A website may be able to spoof the domain name in the title of a pop-up window.
References		https://support.apple.com/en-us/122716 https://support.apple.com/en-us/122719

Subscriptions

Apple Macos Safari

MITRE

Status: PUBLISHED

Assigner: apple

Published: 2025-11-21T21:22:24.270Z

Updated: 2026-04-02T18:19:21.476Z

Reserved: 2025-03-27T16:13:58.340Z

Link: CVE-2025-31266

Vulnrichment

Updated: 2025-11-23T11:31:41.656Z

NVD

Status : Modified

Published: 2025-11-21T22:16:19.743

Modified: 2026-04-02T19:19:58.183

Link: CVE-2025-31266

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-27T23:00:13Z

Weaknesses

CWE-451

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact Low

User Interaction Required

Exploitation none

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object