CVE-2026-43660 - Vulnerability Details

Description

A validation issue was addressed with improved logic. This issue is fixed in iOS 18.7.9 and iPadOS 18.7.9, iOS 26.5 and iPadOS 26.5, macOS Tahoe 26.5, tvOS 26.5, visionOS 26.5, watchOS 26.5. Processing maliciously crafted web content may prevent Content Security Policy from being enforced.

Published: 2026-05-11

Score: 7.5 High

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

A validation flaw in Apple’s web content rendering logic allows maliciously crafted pages to bypass the Content Security Policy that normally blocks inline scripting and external resource loading. When a page containing specially constructed content is rendered, the policy is not enforced, which can enable an attacker to inject and execute arbitrary JavaScript or other code. The weakness is a classic input validation failure that compromises the integrity of web content processing.

Affected Systems

The flaw affects iOS, iPadOS, macOS, tvOS, visionOS, and watchOS versions prior to the patched releases described in the advisory. Specifically, iOS and iPadOS are vulnerable before iOS 18.7.9, iPadOS 18.7.9, iOS 26.5, iPadOS 26.5, while macOS Tahoe, tvOS, visionOS, and watchOS are vulnerable before version 26.5.

Risk and Exploitability

The EPSS score is reported as < 1 %, and the CVSS score is 7.5, indicating a moderate to high severity. The vulnerability is not listed in the CISA KEV catalog and no public exploitation is confirmed. The likely attack vector involves delivering malicious web content, such as through phishing, compromised sites, or third‑party web views, which would trigger the policy bypass and permit arbitrary code execution on the victim device.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Apple

iOS and iPadOS

affected

Version	Status	Constraints
`0`	affected	< 18.7.9
`0`	affected	< 26.5

Apple

macOS

affected

Version	Status	Constraints
`0`	affected	< 26.5

Apple

tvOS

affected

Version	Status	Constraints
`0`	affected	< 26.5

Apple

visionOS

affected

Version	Status	Constraints
`0`	affected	< 26.5

Apple

watchOS

affected

Version	Status	Constraints
`0`	affected	< 26.5

Configuration 1 [-]

OR	cpe:2.3:o:apple:ipados::::::::
	cpe:2.3:o:apple:ipados::::::::
	cpe:2.3:o:apple:iphone_os::::::::
	cpe:2.3:o:apple:iphone_os::::::::
	cpe:2.3:o:apple:macos::::::::
	cpe:2.3:o:apple:tvos::::::::
	cpe:2.3:o:apple:visionos::::::::
	cpe:2.3:o:apple:watchos::::::::

No data.

Vendor Product Confidence Versions

Apple

Ios And Ipados

100%

Version	Status	Scheme	Platform
`[0,18.7.9)`	affected	semver	—
`[0,26.5)`	affected	semver	—

Apple

Macos

100%

Version	Status	Scheme	Platform
`[0,26.5)`	affected	semver	—

Apple

Tvos

100%

Version	Status	Scheme	Platform
`[0,26.5)`	affected	semver	—

Apple

Visionos

100%

Version	Status	Scheme	Platform
`[0,26.5)`	affected	semver	—

Apple

Watchos

100%

Version	Status	Scheme	Platform
`[0,26.5)`	affected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Apply the Apple security updates that include the fix: install iOS 18.7.9 or 26.5, iPadOS 18.7.9 or 26.5, macOS Tahoe 26.5, tvOS 26.5, visionOS 26.5, and watchOS 26.5 or later.
Ensure that any third‑party web rendering components bundled in applications are updated to the latest Apple‑approved releases that enforce CSP correctly.
As a temporary measure, configure applications that embed web content to use strict CSP headers and disallow inline script execution, thereby limiting the impact of any potential policy bypass.

Generated by OpenCVE AI on May 12, 2026 at 18:02 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00033.

Exploitation none

Automatable yes

Technical Impact partial

References

Link	Providers
https://support.apple.com/en-us/127110
https://support.apple.com/en-us/127111
https://support.apple.com/en-us/127115
https://support.apple.com/en-us/127118
https://support.apple.com/en-us/127119
https://support.apple.com/en-us/127120

History

Tue, 12 May 2026 17:15:00 +0000

Type	Values Removed	Values Added
First Time appeared		Apple ipados Apple iphone Os
CPEs		cpe:2.3:o:apple:ipados:::::::: cpe:2.3:o:apple:iphone_os:::::::: cpe:2.3:o:apple:macos:::::::: cpe:2.3:o:apple:tvos:::::::: cpe:2.3:o:apple:visionos:::::::: cpe:2.3:o:apple:watchos::::::::
Vendors & Products		Apple ipados Apple iphone Os

Tue, 12 May 2026 16:30:00 +0000

Type	Values Removed	Values Added
Title	Content Security Policy Bypass via Malformed Web Content in Apple Operating Systems
Weaknesses	CWE-20 CWE-79

Tue, 12 May 2026 14:15:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-693
Metrics		cvssV3_1 `{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}` ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Mon, 11 May 2026 23:00:00 +0000

Type	Values Removed	Values Added
Title		Content Security Policy Bypass via Malformed Web Content in Apple Operating Systems
Weaknesses		CWE-20 CWE-79

Mon, 11 May 2026 22:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Apple Apple ios And Ipados Apple macos Apple tvos Apple visionos Apple watchos
Vendors & Products		Apple Apple ios And Ipados Apple macos Apple tvos Apple visionos Apple watchos

Mon, 11 May 2026 20:45:00 +0000

Type	Values Removed	Values Added
Description		A validation issue was addressed with improved logic. This issue is fixed in iOS 18.7.9 and iPadOS 18.7.9, iOS 26.5 and iPadOS 26.5, macOS Tahoe 26.5, tvOS 26.5, visionOS 26.5, watchOS 26.5. Processing maliciously crafted web content may prevent Content Security Policy from being enforced.
References		https://support.apple.com/en-us/127110 https://support.apple.com/en-us/127111 https://support.apple.com/en-us/127115 https://support.apple.com/en-us/127118 https://support.apple.com/en-us/127119 https://support.apple.com/en-us/127120

Subscriptions

Apple Ios And Ipados Ipados Iphone Os Macos Tvos Visionos Watchos

MITRE

Status: PUBLISHED

Assigner: apple

Published: 2026-05-11T20:07:54.438Z

Updated: 2026-05-12T13:18:50.867Z

Reserved: 2026-05-01T22:46:21.639Z

Link: CVE-2026-43660

Vulnrichment

Updated: 2026-05-12T13:18:39.640Z

NVD

Status : Analyzed

Published: 2026-05-11T21:19:01.720

Modified: 2026-05-12T17:14:52.453

Link: CVE-2026-43660

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-05-12T18:15:21Z

Weaknesses

CWE-693

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

Exploitation none

Automatable yes

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object