Description
The issue was addressed with improved UI handling. This issue is fixed in Safari 26.5, iOS 26.5 and iPadOS 26.5, macOS Tahoe 26.5, visionOS 26.5. A malicious iframe may use another website’s download settings.
Published: 2026-05-11
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is caused by insufficient UI handling that lets a malicious webpage embed an iframe targeting another site’s download preferences. By doing so, an attacker can change the target website’s download settings, influencing how files are downloaded or where they are saved. The flaw is classified as CWE-1021 and does not provide code execution, privilege escalation, or direct data access; its impact is limited to UI‑controlled configuration changes.

Affected Systems

Apple products including Safari, iOS, iPadOS, macOS Tahoe, and visionOS are affected. The security fix is incorporated from Safari 26.5 onward, as well as iOS 26.5, iPadOS 26.5, macOS Tahoe 26.5, and visionOS 26.5. Versions prior to these releases remain vulnerable until the update is applied.

Risk and Exploitability

The CVSS score of 4.3 and an EPSS of <1% indicate a moderate but low probability of exploitation. The vulnerability is not in the CISA KEV catalog. The likely attack vector is a webpage that hosts a malicious iframe pointing to another site and attempting to alter its download settings. Based on the description, it is inferred that the attacker needs to trick a user into visiting such a page; no remote code execution or elevated privileges are required.

Generated by OpenCVE AI on May 14, 2026 at 00:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to Safari 26.5, iOS 26.5, iPadOS 26.5, macOS Tahoe 26.5, or visionOS 26.5 to apply the UI handling fix
  • Configure browser or device settings to block third‑party iframes from modifying download preferences when possible
  • Audit download configuration changes regularly to detect unauthorized modifications

Generated by OpenCVE AI on May 14, 2026 at 00:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 14 May 2026 01:15:00 +0000

Type Values Removed Values Added
Title Malicious iframe modifies download settings in Safari and Apple OS

Wed, 13 May 2026 23:00:00 +0000

Type Values Removed Values Added
Title Malicious iframe modifies download settings in Safari and Apple OS
Weaknesses CWE-601

Wed, 13 May 2026 20:30:00 +0000

Type Values Removed Values Added
Description The issue was addressed with improved UI handling. This issue is fixed in iOS 26.5 and iPadOS 26.5, macOS Tahoe 26.5, visionOS 26.5. A malicious iframe may use another website’s download settings. The issue was addressed with improved UI handling. This issue is fixed in Safari 26.5, iOS 26.5 and iPadOS 26.5, macOS Tahoe 26.5, visionOS 26.5. A malicious iframe may use another website’s download settings.
References

Wed, 13 May 2026 15:30:00 +0000

Type Values Removed Values Added
First Time appeared Apple ipados
Apple iphone Os
CPEs cpe:2.3:o:apple:ipados:*:*:*:*:*:*:*:*
cpe:2.3:o:apple:iphone_os:*:*:*:*:*:*:*:*
cpe:2.3:o:apple:macos:*:*:*:*:*:*:*:*
cpe:2.3:o:apple:visionos:*:*:*:*:*:*:*:*
Vendors & Products Apple ipados
Apple iphone Os

Tue, 12 May 2026 21:15:00 +0000

Type Values Removed Values Added
Title Malicious iframe can hijack download settings on Apple operating systems

Tue, 12 May 2026 18:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-1021
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 11 May 2026 23:30:00 +0000

Type Values Removed Values Added
Title Malicious iframe can hijack download settings on Apple operating systems
Weaknesses CWE-601

Mon, 11 May 2026 22:30:00 +0000

Type Values Removed Values Added
First Time appeared Apple
Apple ios And Ipados
Apple macos
Apple visionos
Vendors & Products Apple
Apple ios And Ipados
Apple macos
Apple visionos

Mon, 11 May 2026 20:45:00 +0000

Type Values Removed Values Added
Description The issue was addressed with improved UI handling. This issue is fixed in iOS 26.5 and iPadOS 26.5, macOS Tahoe 26.5, visionOS 26.5. A malicious iframe may use another website’s download settings.
References

Subscriptions

Apple Ios And Ipados Ipados Iphone Os Macos Visionos
cve-icon MITRE

Status: PUBLISHED

Assigner: apple

Published:

Updated: 2026-05-13T19:58:55.140Z

Reserved: 2026-03-03T16:36:03.992Z

Link: CVE-2026-28971

cve-icon Vulnrichment

Updated: 2026-05-12T18:10:41.577Z

cve-icon NVD

Status : Modified

Published: 2026-05-11T21:18:57.807

Modified: 2026-05-13T21:16:44.610

Link: CVE-2026-28971

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-14T01:00:11Z

Weaknesses