The vulnerability involves inadequate input validation of web content, permitting maliciously crafted input to disable or bypass the browser’s built‑in Content Security Policy. This flaw, categorized under improper input validation (CWE‑20) and improper encoding or escaping (CWE‑116), allowed Safari, iOS, iPadOS, macOS, tvOS, visionOS, and watchOS to process suspect content in a way that the policy that normally blocks unauthorized scripts or resources might not be enforced. The issue was addressed with improved input validation and is fixed in Safari 26.5, iOS 18.7.9 and 26.5, iPadOS 18.7.9 and 26.5, macOS Tahoe 26.5, tvOS 26.5, visionOS 26.5, and watchOS 26.5.

Apple Safari, iOS, iPadOS, macOS, tvOS, visionOS and watchOS are affected. Devices running Safari versions older than 26.5, iOS or iPadOS older than 18.7.9 or 26.5, macOS Tahoe older than 26.5, tvOS older than 26.5, visionOS older than 26.5, and watchOS older than 26.5 could process malicious content that bypasses the Content Security Policy. The issue is fixed in Safari 26.5, iOS 18.7.9 and 26.5, iPadOS 18.7.9 and 26.5, macOS Tahoe 26.5, tvOS 26.5, visionOS 26.5, and watchOS 26.5.

The CVSS score of 8.1 indicates a high severity, while the EPSS score of < 1% suggests a low probability of widespread exploitation today. The flaw can be targeted remotely by delivering malicious web pages that Safari or similar browsers will render, and if an attacker can control the content, the Content Security Policy may not be enforced. The vulnerability is not listed in the CISA KEV catalog, implying no known large‑scale attacks have been reported. Nonetheless, the high severity warrants timely patching, and organizations should verify that the affected versions are updated and sanitize or restrict untrusted web content.