Description
A path handling issue was addressed with improved logic. This issue is fixed in Safari 26.3, iOS 18.7.5 and iPadOS 18.7.5, iOS 26.3 and iPadOS 26.3, macOS Sequoia 15.7.5, macOS Sonoma 14.8.4, macOS Tahoe 26.3, visionOS 26.3. A remote user may be able to write arbitrary files.
Published: 2026-02-11
Score: 5.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Arbitrary File Write
Action: Patch
AI Analysis

Impact

A flaw in the handling of filesystem paths allows a remote attacker to write arbitrary files to the victim device. The vulnerability exists in the Safari web browser and the underlying operating systems of iOS, iPadOS, macOS, and visionOS. The effect is that an attacker may overwrite or create files on the file system, presenting a risk of privilege escalation, data tampering, or compromise of application integrity.

Affected Systems

Apple Safari, iOS, iPadOS, macOS, and visionOS devices run the affected code. Versions before Safari 26.3, iOS 18.7.5 or 26.3, iPadOS 18.7.5 or 26.3, macOS Sequoia 15.7.5, macOS Sonoma 14.8.4, macOS Tahoe 26.3, and visionOS 26.3 lack the fix.

Risk and Exploitability

The CVSS score of 5.5 indicates moderate severity, while the EPSS score of less than 1% suggests a low probability of exploitation at present. The vulnerability is not listed in the CISA KEV catalog. The likely attack vector is a malicious web page or application that delivers a crafted path to Safari or the related OS component, enabling the attacker to cause the system to resolve and write the file without additional authentication.

Generated by OpenCVE AI on April 16, 2026 at 00:56 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Safari to version 26.3 or newer.
  • Update all Apple operating systems to their latest patched releases (iOS 18.7.5, iPadOS 18.7.5, macOS Sequoia 15.7.5, macOS Sonoma 14.8.4, macOS Tahoe 26.3, and visionOS 26.3).
  • Implement a patch‑management process to routinely apply Apple security updates; monitor Apple security advisories and verify installation on all devices.

Generated by OpenCVE AI on April 16, 2026 at 00:56 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 16 Apr 2026 01:15:00 +0000

Type Values Removed Values Added
Title Remote Arbitrary File Write via Path Handling in Apple Safari and OSes

Thu, 02 Apr 2026 20:30:00 +0000

Type Values Removed Values Added
Description A path handling issue was addressed with improved logic. This issue is fixed in macOS Tahoe 26.3, macOS Sonoma 14.8.4, iOS 18.7.5 and iPadOS 18.7.5, visionOS 26.3, iOS 26.3 and iPadOS 26.3, Safari 26.3. A remote user may be able to write arbitrary files. A path handling issue was addressed with improved logic. This issue is fixed in Safari 26.3, iOS 18.7.5 and iPadOS 18.7.5, iOS 26.3 and iPadOS 26.3, macOS Sequoia 15.7.5, macOS Sonoma 14.8.4, macOS Tahoe 26.3, visionOS 26.3. A remote user may be able to write arbitrary files.
References

Fri, 13 Feb 2026 18:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-22
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N'}

 ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N'}

Thu, 12 Feb 2026 18:45:00 +0000

Type Values Removed Values Added
First Time appeared Apple ipados
Apple iphone Os
Weaknesses NVD-CWE-noinfo
CPEs cpe:2.3:a:apple:safari:*:*:*:*:*:*:*:*
cpe:2.3:o:apple:ipados:*:*:*:*:*:*:*:*
cpe:2.3:o:apple:iphone_os:*:*:*:*:*:*:*:*
cpe:2.3:o:apple:macos:*:*:*:*:*:*:*:*
cpe:2.3:o:apple:visionos:*:*:*:*:*:*:*:*
Vendors & Products Apple ipados
Apple iphone Os
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N'}

Thu, 12 Feb 2026 09:45:00 +0000

Type Values Removed Values Added
First Time appeared Apple
Apple ios And Ipados
Apple macos
Apple safari
Apple visionos
Vendors & Products Apple
Apple ios And Ipados
Apple macos
Apple safari
Apple visionos

Wed, 11 Feb 2026 23:15:00 +0000

Type Values Removed Values Added
Description A path handling issue was addressed with improved logic. This issue is fixed in macOS Tahoe 26.3, macOS Sonoma 14.8.4, iOS 18.7.5 and iPadOS 18.7.5, visionOS 26.3, iOS 26.3 and iPadOS 26.3, Safari 26.3. A remote user may be able to write arbitrary files.
References

Subscriptions

Apple Ios And Ipados Ipados Iphone Os Macos Safari Visionos
cve-icon MITRE

Status: PUBLISHED

Assigner: apple

Published:

Updated: 2026-04-02T18:16:44.119Z

Reserved: 2025-11-11T14:43:07.865Z

Link: CVE-2026-20660

cve-icon Vulnrichment

Updated: 2026-02-13T17:43:28.544Z

cve-icon NVD

Status : Modified

Published: 2026-02-11T23:16:08.620

Modified: 2026-04-02T19:21:19.040

Link: CVE-2026-20660

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T01:00:19Z

Weaknesses