Description
This issue was addressed with improved access restrictions. This issue is fixed in Safari 26.5, iOS 18.7.9 and iPadOS 18.7.9, iOS 26.5 and iPadOS 26.5, macOS Tahoe 26.5, visionOS 26.5. Processing maliciously crafted web content may disclose sensitive user information.
Published: 2026-05-11
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

This vulnerability arises from inadequate access restrictions, enabling an attacker to craft malicious web content that, when rendered by the web engine on Apple devices, may disclose sensitive user information. The flaw permits disclosure of personal or system data during normal content rendering, compromising confidentiality. No remote code execution or denial‑of‑service capabilities are described.

Affected Systems

Vendors affected are Apple for iOS, iPadOS, macOS, visionOS, and Safari. Fixed versions include Safari 26.5, iOS 18.7.9 and iPadOS 18.7.9, iOS 26.5 and iPadOS 26.5, macOS Tahoe 26.5, and visionOS 26.5. Systems running earlier releases of any of these operating systems or Safari are susceptible.

Risk and Exploitability

The CVSS score is 7.5, indicating a high severity for information disclosure. The EPSS score is less than 1%, suggesting a low probability of exploitation, and the vulnerability is not listed in CISA KEV. The likely attack vector involves delivering maliciously formatted web content through a browser or web‑enabled application; this is inferred from the context of maliciously crafted web content. No explicit further exploitation conditions are listed, so the mere rendering of such content suffices to trigger the information disclosure.

Generated by OpenCVE AI on May 13, 2026 at 22:44 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Perform an immediate upgrade to iOS 18.7.9 or later, or iOS 26.5 and later, and to iPadOS 18.7.9 or later, or iPadOS 26.5 and later, ensuring that the latest security fixes are applied.
  • Update macOS Tahoe to version 26.5 or newer, which incorporates the necessary access‑restriction enhancements.
  • Upgrade visionOS to 26.5 or a newer release to eliminate the exposure of sensitive data when processing web content.

Generated by OpenCVE AI on May 13, 2026 at 22:44 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 13 May 2026 23:00:00 +0000

Type Values Removed Values Added
Title Access Restriction Bypass in Apple Web Engines Exposes Sensitive Data

Wed, 13 May 2026 20:30:00 +0000

Type Values Removed Values Added
Description This issue was addressed with improved access restrictions. This issue is fixed in iOS 18.7.9 and iPadOS 18.7.9, iOS 26.5 and iPadOS 26.5, macOS Tahoe 26.5, visionOS 26.5. Processing maliciously crafted web content may disclose sensitive user information. This issue was addressed with improved access restrictions. This issue is fixed in Safari 26.5, iOS 18.7.9 and iPadOS 18.7.9, iOS 26.5 and iPadOS 26.5, macOS Tahoe 26.5, visionOS 26.5. Processing maliciously crafted web content may disclose sensitive user information.
References

Tue, 12 May 2026 17:15:00 +0000

Type Values Removed Values Added
First Time appeared Apple ipados
Apple iphone Os
CPEs cpe:2.3:o:apple:ipados:*:*:*:*:*:*:*:*
cpe:2.3:o:apple:iphone_os:*:*:*:*:*:*:*:*
cpe:2.3:o:apple:macos:*:*:*:*:*:*:*:*
cpe:2.3:o:apple:visionos:*:*:*:*:*:*:*:*
Vendors & Products Apple ipados
Apple iphone Os

Tue, 12 May 2026 15:45:00 +0000

Type Values Removed Values Added
Title Sensitive Data Disclosure via Malicious Web Content

Tue, 12 May 2026 13:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 11 May 2026 23:15:00 +0000

Type Values Removed Values Added
First Time appeared Apple
Apple ios And Ipados
Apple macos
Apple visionos
Vendors & Products Apple
Apple ios And Ipados
Apple macos
Apple visionos

Mon, 11 May 2026 22:30:00 +0000

Type Values Removed Values Added
Title Sensitive Data Disclosure via Malicious Web Content
Weaknesses CWE-200

Mon, 11 May 2026 20:45:00 +0000

Type Values Removed Values Added
Description This issue was addressed with improved access restrictions. This issue is fixed in iOS 18.7.9 and iPadOS 18.7.9, iOS 26.5 and iPadOS 26.5, macOS Tahoe 26.5, visionOS 26.5. Processing maliciously crafted web content may disclose sensitive user information.
References

Subscriptions

Apple Ios And Ipados Ipados Iphone Os Macos Visionos
cve-icon MITRE

Status: PUBLISHED

Assigner: apple

Published:

Updated: 2026-05-13T19:58:46.189Z

Reserved: 2026-03-03T16:36:03.991Z

Link: CVE-2026-28962

cve-icon Vulnrichment

Updated: 2026-05-12T13:08:10.612Z

cve-icon NVD

Status : Modified

Published: 2026-05-11T21:18:57.187

Modified: 2026-05-13T21:16:44.443

Link: CVE-2026-28962

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-13T22:45:06Z

Weaknesses
  • CWE-200

    Exposure of Sensitive Information to an Unauthorized Actor