Description
A validation issue was addressed with improved logic. This issue is fixed in Safari 26.5, iOS 18.7.9 and iPadOS 18.7.9, iOS 26.5 and iPadOS 26.5, macOS Tahoe 26.5, tvOS 26.5, visionOS 26.5, watchOS 26.5. Processing maliciously crafted web content may prevent Content Security Policy from being enforced.
Published: 2026-05-11
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A validation issue in Apple’s web content rendering logic was addressed with improved logic, yet the flaw allows maliciously crafted pages to bypass the Content Security Policy that normally blocks inline scripting and external resource loading. When such content is processed, the policy is not enforced, which can enable an attacker to inject and execute arbitrary JavaScript or other code. The weakness is a classic input validation failure that compromises the integrity of web content processing.

Affected Systems

The flaw affects Safari 26.5 on macOS, iOS 18.7.9 and 26.5, iPadOS 18.7.9 and 26.5, macOS Tahoe 26.5, tvOS 26.5, visionOS 26.5, and watchOS 26.5 or earlier versions. Devices running any of these operating systems or browser versions prior to the mentioned patches are vulnerable.

Risk and Exploitability

The EPSS score is reported as < 1 %, and the CVSS score is 7.5, indicating a moderate to high severity. The vulnerability is not listed in the CISA KEV catalog and no public exploitation is confirmed. The likely attack vector involves delivering malicious web content, such as through phishing, compromised sites, or third‑party web views, which would trigger the policy bypass and permit arbitrary code execution on the victim device.

Generated by OpenCVE AI on May 13, 2026 at 22:44 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the Safari security update that includes the fix: install Safari 26.5 or later.
  • Apply the Apple security updates that include the fix: install iOS 18.7.9 or 26.5, iPadOS 18.7.9 or 26.5, macOS Tahoe 26.5, tvOS 26.5, visionOS 26.5, and watchOS 26.5 or later.
  • Ensure that any third‑party web rendering components bundled in applications are updated to the latest Apple‑approved releases that enforce CSP correctly.
  • As a temporary measure, configure applications that embed web content to use strict CSP headers and disallow inline script execution, thereby limiting the impact of any potential policy bypass.

Generated by OpenCVE AI on May 13, 2026 at 22:44 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 03 Jun 2026 02:30:00 +0000

Type Values Removed Values Added
Title Apple Web Rendering Validation Flaw Bypasses Content Security Policy webkitgtk: Processing maliciously crafted web content may prevent Content Security Policy from being enforced
References
Metrics threat_severity

None

 threat_severity

Moderate

Wed, 13 May 2026 23:00:00 +0000

Type Values Removed Values Added
Title Apple Web Rendering Validation Flaw Bypasses Content Security Policy

Wed, 13 May 2026 20:30:00 +0000

Type Values Removed Values Added
Description A validation issue was addressed with improved logic. This issue is fixed in iOS 18.7.9 and iPadOS 18.7.9, iOS 26.5 and iPadOS 26.5, macOS Tahoe 26.5, tvOS 26.5, visionOS 26.5, watchOS 26.5. Processing maliciously crafted web content may prevent Content Security Policy from being enforced. A validation issue was addressed with improved logic. This issue is fixed in Safari 26.5, iOS 18.7.9 and iPadOS 18.7.9, iOS 26.5 and iPadOS 26.5, macOS Tahoe 26.5, tvOS 26.5, visionOS 26.5, watchOS 26.5. Processing maliciously crafted web content may prevent Content Security Policy from being enforced.
References

Tue, 12 May 2026 17:15:00 +0000

Type Values Removed Values Added
First Time appeared Apple ipados
Apple iphone Os
CPEs cpe:2.3:o:apple:ipados:*:*:*:*:*:*:*:*
cpe:2.3:o:apple:iphone_os:*:*:*:*:*:*:*:*
cpe:2.3:o:apple:macos:*:*:*:*:*:*:*:*
cpe:2.3:o:apple:tvos:*:*:*:*:*:*:*:*
cpe:2.3:o:apple:visionos:*:*:*:*:*:*:*:*
cpe:2.3:o:apple:watchos:*:*:*:*:*:*:*:*
Vendors & Products Apple ipados
Apple iphone Os

Tue, 12 May 2026 16:30:00 +0000

Type Values Removed Values Added
Title Content Security Policy Bypass via Malformed Web Content in Apple Operating Systems
Weaknesses CWE-20
CWE-79

Tue, 12 May 2026 14:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-693
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 11 May 2026 23:00:00 +0000

Type Values Removed Values Added
Title Content Security Policy Bypass via Malformed Web Content in Apple Operating Systems
Weaknesses CWE-20
CWE-79

Mon, 11 May 2026 22:45:00 +0000

Type Values Removed Values Added
First Time appeared Apple
Apple ios And Ipados
Apple macos
Apple tvos
Apple visionos
Apple watchos
Vendors & Products Apple
Apple ios And Ipados
Apple macos
Apple tvos
Apple visionos
Apple watchos

Mon, 11 May 2026 20:45:00 +0000

Type Values Removed Values Added
Description A validation issue was addressed with improved logic. This issue is fixed in iOS 18.7.9 and iPadOS 18.7.9, iOS 26.5 and iPadOS 26.5, macOS Tahoe 26.5, tvOS 26.5, visionOS 26.5, watchOS 26.5. Processing maliciously crafted web content may prevent Content Security Policy from being enforced.
References

Subscriptions

Apple Ios And Ipados Ipados Iphone Os Macos Tvos Visionos Watchos
cve-icon MITRE

Status: PUBLISHED

Assigner: apple

Published:

Updated: 2026-05-13T19:58:49.368Z

Reserved: 2026-05-01T22:46:21.639Z

Link: CVE-2026-43660

cve-icon Vulnrichment

Updated: 2026-05-12T13:18:39.640Z

cve-icon NVD

Status : Modified

Published: 2026-05-11T21:19:01.720

Modified: 2026-05-13T21:16:47.520

Link: CVE-2026-43660

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-06-02T00:00:00Z

Links: CVE-2026-43660 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-05-13T22:45:06Z

Weaknesses