Description
This issue was addressed through improved state management. This issue is fixed in Safari 18.6, macOS Sequoia 15.6. Processing maliciously crafted web content may lead to universal cross site scripting.
Published: 2025-07-29
Score: 6.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Universal cross‑site scripting that may compromise user data and session integrity
Action: Apply patch
AI Analysis

Impact

The vulnerability is caused by improper state management in Apple Safari and macOS, which allows a maliciously crafted web page to execute JavaScript in the victim’s browser context. This results in universal cross‑site scripting, giving an attacker the ability to steal credentials, manipulate the session, or redirect users to malicious sites. The weakness is an input validation failure, classified as CWE‑79, and is considered a moderate security risk.

Affected Systems

Apple Safari and Apple macOS products are affected. All releases prior to Safari 18.6 and macOS Sequoia 15.6 contain the flaw. The issue is resolved in these and later updates.

Risk and Exploitability

The CVSS score of 6.1 indicates a moderate severity. The EPSS score of less than 1% suggests that it is unlikely to be currently exploited. The vulnerability has not been listed in the CISA KEV catalog. An attacker can exploit the flaw simply by delivering malicious web content to an unpatched user’s browser; no elevated privileges or additional setup are required beyond normal web navigation.

Generated by OpenCVE AI on April 28, 2026 at 18:48 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Safari to version 18.6 or newer
  • Update macOS to Sequoia 15.6 or newer
  • Enable automatic OS and browser updates to ensure rapid patch deployment

Generated by OpenCVE AI on April 28, 2026 at 18:48 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-23054 This issue was addressed through improved state management. This issue is fixed in macOS Sequoia 15.6, Safari 18. 6. Processing maliciously crafted web content may lead to universal cross site scripting.
History

Tue, 28 Apr 2026 19:15:00 +0000

Type Values Removed Values Added
Title Universal Cross‑Site Scripting via Improper State Management in Safari and macOS

Thu, 02 Apr 2026 20:30:00 +0000

Type Values Removed Values Added
Description This issue was addressed through improved state management. This issue is fixed in macOS Sequoia 15.6, Safari 18. 6. Processing maliciously crafted web content may lead to universal cross site scripting. This issue was addressed through improved state management. This issue is fixed in Safari 18.6, macOS Sequoia 15.6. Processing maliciously crafted web content may lead to universal cross site scripting.

Mon, 03 Nov 2025 20:30:00 +0000

Type Values Removed Values Added
References

Fri, 01 Aug 2025 14:45:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:apple:safari:*:*:*:*:*:*:*:*
cpe:2.3:o:apple:macos:*:*:*:*:*:*:*:*

Thu, 31 Jul 2025 18:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-79
Metrics cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 31 Jul 2025 10:30:00 +0000

Type Values Removed Values Added
First Time appeared Apple
Apple macos
Apple safari
Apple sequoia
Vendors & Products Apple
Apple macos
Apple safari
Apple sequoia

Wed, 30 Jul 2025 23:00:00 +0000

Type Values Removed Values Added
Description This issue was addressed through improved state management. This issue is fixed in macOS Sequoia 15.6. Processing maliciously crafted web content may lead to universal cross site scripting. This issue was addressed through improved state management. This issue is fixed in macOS Sequoia 15.6, Safari 18. 6. Processing maliciously crafted web content may lead to universal cross site scripting.
References

Tue, 29 Jul 2025 23:45:00 +0000

Type Values Removed Values Added
Description This issue was addressed through improved state management. This issue is fixed in macOS Sequoia 15.6. Processing maliciously crafted web content may lead to universal cross site scripting.
References

Subscriptions

Apple Macos Safari Sequoia
cve-icon MITRE

Status: PUBLISHED

Assigner: apple

Published:

Updated: 2026-04-02T18:13:07.046Z

Reserved: 2025-04-16T15:24:37.091Z

Link: CVE-2025-43229

cve-icon Vulnrichment

Updated: 2025-11-03T20:01:58.420Z

cve-icon NVD

Status : Modified

Published: 2025-07-30T00:15:35.023

Modified: 2026-04-02T19:20:09.213

Link: CVE-2025-43229

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-28T19:00:20Z

Weaknesses