Description
The issue was addressed with improved input validation. This issue is fixed in iOS 18.7.9 and iPadOS 18.7.9, iOS 26.5 and iPadOS 26.5, macOS Tahoe 26.5, tvOS 26.5, visionOS 26.5, watchOS 26.5. Processing maliciously crafted web content may prevent Content Security Policy from being enforced.
Published: 2026-05-11
Score: n/a
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability allows an attacker to craft malicious web content that can disable or bypass the enforcement of the Content Security Policy. When such content is processed by the affected Apple operating systems, the built‑in security controls that prevent the execution of unauthorized scripts or the reading of protected data are no longer trusted, potentially enabling arbitrary code execution or data exfiltration. This flaw reflects improper input validation that fails to enforce policy constraints on user‑supplied web content.

Affected Systems

Apple iOS versions older than 18.7.9 and 26.5, iPadOS versions older than 18.7.9 and 26.5, macOS Tahoe older than 26.5, tvOS older than 26.5, visionOS older than 26.5, and watchOS older than 26.5 are affected. Devices running any of these operating systems may process malicious web material that bypasses the Content Security Policy.

Risk and Exploitability

Although no CVSS or EPSS score is provided, the flaw presents a significant risk because it is exploitable through standard web browsing or an app that renders web content. A remote attacker could host or embed crafted content and entice a user to open it, thereby bypassing security controls. The absence of KEV listing does not indicate low risk, and standard security practices recommend treating the issue as high severity until an official score becomes available.

Generated by OpenCVE AI on May 11, 2026 at 21:37 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update all Apple operating systems on devices to the latest patched versions: iOS 18.7.9 and 26.5, iPadOS 18.7.9 and 26.5, macOS Tahoe 26.5, tvOS 26.5, visionOS 26.5, and watchOS 26.5.
  • Deploy configuration profiles or device management policies that enforce strict Content Security Policy settings on internal web applications to reduce the impact of malicious content.
  • Monitor device logs and user activity for signs of unauthorized script execution or anomalous web content behavior.

Generated by OpenCVE AI on May 11, 2026 at 21:37 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 11 May 2026 22:30:00 +0000

Type Values Removed Values Added
First Time appeared Apple
Apple ios And Ipados
Apple macos
Apple tvos
Apple visionos
Apple watchos
Vendors & Products Apple
Apple ios And Ipados
Apple macos
Apple tvos
Apple visionos
Apple watchos

Mon, 11 May 2026 22:00:00 +0000

Type Values Removed Values Added
Title Bypass of Content Security Policy via Malicious Web Content
Weaknesses CWE-20

Mon, 11 May 2026 20:45:00 +0000

Type Values Removed Values Added
Description The issue was addressed with improved input validation. This issue is fixed in iOS 18.7.9 and iPadOS 18.7.9, iOS 26.5 and iPadOS 26.5, macOS Tahoe 26.5, tvOS 26.5, visionOS 26.5, watchOS 26.5. Processing maliciously crafted web content may prevent Content Security Policy from being enforced.
References

Subscriptions

Apple Ios And Ipados Macos Tvos Visionos Watchos
cve-icon MITRE

Status: PUBLISHED

Assigner: apple

Published:

Updated: 2026-05-11T20:08:30.224Z

Reserved: 2026-03-03T16:36:03.984Z

Link: CVE-2026-28907

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Undergoing Analysis

Published: 2026-05-11T21:18:53.503

Modified: 2026-05-12T14:13:03.510

Link: CVE-2026-28907

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-11T22:15:06Z

Weaknesses