Description
The issue was addressed with improved UI handling. This issue is fixed in iOS 26.5 and iPadOS 26.5, macOS Tahoe 26.5, visionOS 26.5. A malicious iframe may use another website’s download settings.
Published: 2026-05-11
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability allows a malicious iframe to influence an external website’s download settings. This flaw is limited to UI handling of download preferences and occurs when an attacker embeds an iframe that can adjust system or user download configuration. It does not grant arbitrary code execution, privilege escalation, or direct access to secure services.

Affected Systems

Apple operating systems iOS 26.5, iPadOS 26.5, macOS Tahoe 26.5, and visionOS 26.5 have patched the issue. Versions earlier than these releases remain susceptible until the fix is applied.

Risk and Exploitability

The CVSS score is 4.3, the EPSS score is <1%, and the vulnerability is not listed in KEV. Because only the described iframe manipulation scenario is documented and no exploits are known beyond that, the risk is rated moderate. The most probable attack vector is a web page that hosts a malicious iframe targeting another site’s download settings.

Generated by OpenCVE AI on May 12, 2026 at 20:57 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to iOS 26.5, iPadOS 26.5, macOS Tahoe 26.5, or visionOS 26.5 to apply Apple’s UI handling fix
  • If the platform allows, configure policies or sandbox settings to block third‑party iframes from altering download preferences
  • Regularly audit any changes to download configuration settings to detect unauthorized modifications

Generated by OpenCVE AI on May 12, 2026 at 20:57 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 12 May 2026 21:15:00 +0000

Type Values Removed Values Added
Title Malicious iframe can hijack download settings on Apple operating systems

Tue, 12 May 2026 18:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-1021
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 11 May 2026 23:30:00 +0000

Type Values Removed Values Added
Title Malicious iframe can hijack download settings on Apple operating systems
Weaknesses CWE-601

Mon, 11 May 2026 22:30:00 +0000

Type Values Removed Values Added
First Time appeared Apple
Apple ios And Ipados
Apple macos
Apple visionos
Vendors & Products Apple
Apple ios And Ipados
Apple macos
Apple visionos

Mon, 11 May 2026 20:45:00 +0000

Type Values Removed Values Added
Description The issue was addressed with improved UI handling. This issue is fixed in iOS 26.5 and iPadOS 26.5, macOS Tahoe 26.5, visionOS 26.5. A malicious iframe may use another website’s download settings.
References

Subscriptions

Apple Ios And Ipados Macos Visionos
cve-icon MITRE

Status: PUBLISHED

Assigner: apple

Published:

Updated: 2026-05-12T18:10:49.495Z

Reserved: 2026-03-03T16:36:03.992Z

Link: CVE-2026-28971

cve-icon Vulnrichment

Updated: 2026-05-12T18:10:41.577Z

cve-icon NVD

Status : Undergoing Analysis

Published: 2026-05-11T21:18:57.807

Modified: 2026-05-12T19:16:29.950

Link: CVE-2026-28971

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-12T21:00:13Z

Weaknesses