Description
An information leakage was addressed with additional validation. This issue is fixed in iOS 18.7.9 and iPadOS 18.7.9, iOS 26.5 and iPadOS 26.5, macOS Sequoia 15.7.7, macOS Sonoma 14.8.7, macOS Tahoe 26.5, tvOS 26.5, visionOS 26.5, watchOS 26.5. Visiting a maliciously crafted website may leak sensitive data.
Published: 2026-05-11
Score: n/a
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

An information leakage flaw allows data to be inadvertently exposed when a user visits a specially crafted website. The flaw can leak sensitive information that the user might consider private, such as browsing history, personal data held by applications, or other information that should remain confidential. The weakness involves improper validation of web content, a classic information‑exposure issue.

Affected Systems

The vulnerability affects several Apple platforms: iOS, iPadOS, macOS, tvOS, visionOS, and watchOS. The affected releases are iOS 18.7.9 and iOS 26.5, iPadOS 18.7.9 and iPadOS 26.5, macOS Sequoia 15.7.7, macOS Sonoma 14.8.7, macOS Tahoe 26.5, tvOS 26.5, visionOS 26.5, and watchOS 26.5.

Risk and Exploitability

No CVSS or EPSS score is available, and the vulnerability is not listed in the CISA KEV catalog, so the exact exploitation probability and severity are uncertain. The attack vector is inferred to be via browsing the internet: an attacker crafts a malicious website that, when displayed, triggers the validation flaw and causes data leakage. Because the flaw is limited to web content parsing, a user must visit the malicious site; no remote code execution or privilege escalation is reported.

Generated by OpenCVE AI on May 11, 2026 at 21:55 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the affected platform to a version that includes the patch (e.g., iOS 26.5 or later, iPadOS 26.5, macOS Sequoia 15.7.7 or later, macOS Sonoma 14.8.7, macOS Tahoe 26.5, tvOS 26.5, visionOS 26.5, watchOS 26.5).
  • Ensure the device’s browser or web rendering engine is also updated to the latest release issued by Apple.
  • Avoid visiting websites from untrusted sources or apply content‑filtering policies to block known malicious domains.

Generated by OpenCVE AI on May 11, 2026 at 21:55 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 11 May 2026 22:15:00 +0000

Type Values Removed Values Added
Title Sensitive Data Leak via Malicious Website in Apple Operating Systems
First Time appeared Apple
Apple ios And Ipados
Apple macos
Apple tvos
Apple visionos
Apple watchos
Weaknesses CWE-200
Vendors & Products Apple
Apple ios And Ipados
Apple macos
Apple tvos
Apple visionos
Apple watchos

Mon, 11 May 2026 20:45:00 +0000

Type Values Removed Values Added
Description An information leakage was addressed with additional validation. This issue is fixed in iOS 18.7.9 and iPadOS 18.7.9, iOS 26.5 and iPadOS 26.5, macOS Sequoia 15.7.7, macOS Sonoma 14.8.7, macOS Tahoe 26.5, tvOS 26.5, visionOS 26.5, watchOS 26.5. Visiting a maliciously crafted website may leak sensitive data.
References

Subscriptions

Apple Ios And Ipados Macos Tvos Visionos Watchos
cve-icon MITRE

Status: PUBLISHED

Assigner: apple

Published:

Updated: 2026-05-11T20:08:35.900Z

Reserved: 2026-03-03T16:36:03.986Z

Link: CVE-2026-28920

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Undergoing Analysis

Published: 2026-05-11T21:18:54.427

Modified: 2026-05-12T14:13:03.510

Link: CVE-2026-28920

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-11T22:00:07Z

Weaknesses