Description
An information leakage was addressed with additional validation. This issue is fixed in iOS 18.7.9 and iPadOS 18.7.9, iOS 26.5 and iPadOS 26.5, macOS Sequoia 15.7.7, macOS Sonoma 14.8.7, macOS Tahoe 26.5, tvOS 26.5, visionOS 26.5, watchOS 26.5. Visiting a maliciously crafted website may leak sensitive data.
Published: 2026-05-11
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

An information leakage flaw allows data to be inadvertently exposed when a user visits a specially crafted website. The flaw can leak sensitive information that the user might consider private, such as browsing history, personal data held by applications, or other information that should remain confidential. The weakness involves improper validation of web content, a classic information‑exposure issue.

Affected Systems

The vulnerability affects several Apple platforms: iOS, iPadOS, macOS, tvOS, visionOS, and watchOS. The affected releases are iOS 18.7.9 and iOS 26.5, iPadOS 18.7.9 and iPadOS 26.5, macOS Sequoia 15.7.7, macOS Sonoma 14.8.7, macOS Tahoe 26.5, tvOS 26.5, visionOS 26.5, and watchOS 26.5.

Risk and Exploitability

The CVSS score is 6.5, with an EPSS score of <1%, and the vulnerability is not listed in the CISA KEV catalog, indicating a moderate severity and a very low exploitation probability. The attack vector is inferred to be via browsing the internet: an attacker creates a malicious website that, when displayed in the device’s web engine, triggers the validation flaw and causes leakage of sensitive data. The flaw is limited to web content parsing, so a user must visit the malicious site; no remote code execution or privilege escalation is reported.

Generated by OpenCVE AI on May 13, 2026 at 16:06 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the affected platform to a version that includes the patch (e.g., iOS 26.5 or later, iPadOS 26.5, macOS Sequoia 15.7.7 or later, macOS Sonoma 14.8.7, macOS Tahoe 26.5, tvOS 26.5, visionOS 26.5, watchOS 26.5).
  • Ensure the device’s browser or web rendering engine is also updated to the latest release issued by Apple.
  • Avoid visiting websites from untrusted sources or apply content‑filtering policies to block known malicious domains.

Generated by OpenCVE AI on May 13, 2026 at 16:06 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 14 May 2026 14:15:00 +0000

Type Values Removed Values Added
First Time appeared Apple ipados
Apple iphone Os
CPEs cpe:2.3:o:apple:ipados:*:*:*:*:*:*:*:*
cpe:2.3:o:apple:iphone_os:*:*:*:*:*:*:*:*
cpe:2.3:o:apple:macos:*:*:*:*:*:*:*:*
cpe:2.3:o:apple:tvos:*:*:*:*:*:*:*:*
cpe:2.3:o:apple:visionos:*:*:*:*:*:*:*:*
cpe:2.3:o:apple:watchos:*:*:*:*:*:*:*:*
Vendors & Products Apple ipados
Apple iphone Os

Wed, 13 May 2026 16:30:00 +0000

Type Values Removed Values Added
Title Sensitive Data Leak via Malicious Website in Apple Operating Systems

Wed, 13 May 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 11 May 2026 22:15:00 +0000

Type Values Removed Values Added
Title Sensitive Data Leak via Malicious Website in Apple Operating Systems
First Time appeared Apple
Apple ios And Ipados
Apple macos
Apple tvos
Apple visionos
Apple watchos
Weaknesses CWE-200
Vendors & Products Apple
Apple ios And Ipados
Apple macos
Apple tvos
Apple visionos
Apple watchos

Mon, 11 May 2026 20:45:00 +0000

Type Values Removed Values Added
Description An information leakage was addressed with additional validation. This issue is fixed in iOS 18.7.9 and iPadOS 18.7.9, iOS 26.5 and iPadOS 26.5, macOS Sequoia 15.7.7, macOS Sonoma 14.8.7, macOS Tahoe 26.5, tvOS 26.5, visionOS 26.5, watchOS 26.5. Visiting a maliciously crafted website may leak sensitive data.
References

Subscriptions

Apple Ios And Ipados Ipados Iphone Os Macos Tvos Visionos Watchos
cve-icon MITRE

Status: PUBLISHED

Assigner: apple

Published:

Updated: 2026-05-13T13:32:52.977Z

Reserved: 2026-03-03T16:36:03.986Z

Link: CVE-2026-28920

cve-icon Vulnrichment

Updated: 2026-05-13T13:32:35.076Z

cve-icon NVD

Status : Analyzed

Published: 2026-05-11T21:18:54.427

Modified: 2026-05-14T14:01:36.967

Link: CVE-2026-28920

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-13T16:15:26Z

Weaknesses
  • CWE-200

    Exposure of Sensitive Information to an Unauthorized Actor