Description
This issue was addressed through improved state management. This issue is fixed in Safari 26.4, iOS 18.7.7 and iPadOS 18.7.7, iOS 26.4 and iPadOS 26.4, macOS Tahoe 26.4, tvOS 26.4, visionOS 26.4, watchOS 26.4. Processing maliciously crafted web content may prevent Content Security Policy from being enforced.
Published: 2026-03-25
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Content Security Policy bypass
Action: Apply Patch
AI Analysis

Impact

The flaw results from improper state handling while parsing web pages, allowing attackers to craft malicious content that bypasses the browser’s Content Security Policy enforcement. This can lead to execution of unauthorized scripts or loading of disallowed resources, creating a pathway for cross‑site scripting or other code‑execution attacks.

Affected Systems

The problem exists in Apple’s Safari browser, iOS and iPadOS, macOS, tvOS, visionOS and watchOS. Specifically, the unpatched versions are Safari 26.4, iOS 18.7.7 and iOS 26.4, iPadOS 18.7.7 and iPadOS 26.4, macOS Tahoe 26.4, tvOS 26.4, visionOS 26.4 and watchOS 26.4. Updating to the listed releases removes the vulnerability.

Risk and Exploitability

The CVSS score of 6.5 indicates moderate severity while the EPSS score of less than 1% reflects a low probability of exploitation. The vulnerability is not listed in the CISA KEV catalog. Even without known widespread exploitation, the attack vector likely involves a user visiting a malicious or compromised web page, so timely remediation is recommended.

Generated by OpenCVE AI on March 26, 2026 at 14:29 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update to Safari 26.4, iOS 18.7.7 or 26.4, iPadOS 18.7.7 or 26.4, macOS Tahoe 26.4, tvOS 26.4, visionOS 26.4 and watchOS 26.4 as released by Apple.
  • If an update cannot be applied immediately, limit exposure by disabling foreign scripting capabilities or restricting access to untrusted sites.
  • Confirm that the latest OS and browser versions are installed and that the Content Security Policy is functioning correctly.
  • Keep monitoring Apple security advisories for further updates or temporary workarounds.

Generated by OpenCVE AI on March 26, 2026 at 14:29 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 31 Mar 2026 03:00:00 +0000

Type Values Removed Values Added
Title Web Content Processing Bypass Prevents Content Security Policy Enforcement webkitgtk: Processing maliciously crafted web content may prevent Content Security Policy from being enforced
References
Metrics threat_severity

None

 threat_severity

Moderate

Fri, 27 Mar 2026 10:00:00 +0000

Type Values Removed Values Added
Title Web Content Processing Bypass Prevents Content Security Policy Enforcement

Thu, 26 Mar 2026 12:30:00 +0000

Type Values Removed Values Added
Title CSP Bypass via Malicious Web Content in Apple Browsers
Weaknesses CWE-79

Wed, 25 Mar 2026 22:00:00 +0000

Type Values Removed Values Added
Title CSP Bypass via Malicious Web Content in Apple Browsers
First Time appeared Apple ipados
Apple iphone Os
Weaknesses CWE-79
CPEs cpe:2.3:a:apple:safari:*:*:*:*:*:*:*:*
cpe:2.3:o:apple:ipados:*:*:*:*:*:*:*:*
cpe:2.3:o:apple:iphone_os:*:*:*:*:*:*:*:*
cpe:2.3:o:apple:macos:*:*:*:*:*:*:*:*
cpe:2.3:o:apple:tvos:*:*:*:*:*:*:*:*
cpe:2.3:o:apple:visionos:*:*:*:*:*:*:*:*
cpe:2.3:o:apple:watchos:*:*:*:*:*:*:*:*
Vendors & Products Apple ipados
Apple iphone Os

Wed, 25 Mar 2026 20:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-693
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 25 Mar 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Apple
Apple ios And Ipados
Apple macos
Apple safari
Apple tvos
Apple visionos
Apple watchos
Vendors & Products Apple
Apple ios And Ipados
Apple macos
Apple safari
Apple tvos
Apple visionos
Apple watchos

Wed, 25 Mar 2026 01:00:00 +0000

Type Values Removed Values Added
Description This issue was addressed through improved state management. This issue is fixed in Safari 26.4, iOS 18.7.7 and iPadOS 18.7.7, iOS 26.4 and iPadOS 26.4, macOS Tahoe 26.4, tvOS 26.4, visionOS 26.4, watchOS 26.4. Processing maliciously crafted web content may prevent Content Security Policy from being enforced.
References

Subscriptions

Apple Ios And Ipados Ipados Iphone Os Macos Safari Tvos Visionos Watchos
cve-icon MITRE

Status: PUBLISHED

Assigner: apple

Published:

Updated: 2026-04-02T18:24:11.936Z

Reserved: 2025-11-11T14:43:07.866Z

Link: CVE-2026-20665

cve-icon Vulnrichment

Updated: 2026-03-25T19:30:59.579Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-25T01:17:05.050

Modified: 2026-03-25T21:54:07.070

Link: CVE-2026-20665

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-03-28T20:00:00Z

Links: CVE-2026-20665 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-03-27T09:50:27Z

Weaknesses