Description
A cross-origin issue was addressed with improved tracking of security origins. This issue is fixed in Safari 26.5.2, iOS 26.5.2 and iPadOS 26.5.2, macOS Tahoe 26.5.2. Processing maliciously crafted web content may disclose sensitive user information.
Published: 2026-06-29
Score: 6.5 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The CVE describes a cross-origin issue where the browser’s origin tracking was insufficient, allowing maliciously crafted web content to leak sensitive user information. The vulnerability pertains to the handling of security origins and can result in the disclosure of data that the user might expect to remain private, such as credentials or personal content that was accessed under a different origin. The weakness aligns with the principle of information exposure underlying CWE‑200.

Affected Systems

Affected systems are Apple’s web browser and platform components: Safari, iOS, iPadOS, and macOS Tahoe. The vulnerability is fixed in version 26.5.2 for Safari, iOS, iPadOS, and macOS Tahoe; users running earlier releases are potentially exposed.

Risk and Exploitability

No EPSS score is published for this vulnerability, and it is not listed in the CISA KEV catalog, indicating that exploitation has not been observed or reported in the wild yet. Nonetheless, the nature of the flaw—cross-origin information leakage—creates an avenue for attackers who can entice users to visit malicious web sites or trick them into interacting with deceptive content. Because accessing the affected components is a common user activity, the attack vector is likely social engineering or drive‑by‑phishing. The lack of public exploit data does not diminish the risk; patching remains the most reliable mitigation.

Generated by OpenCVE AI on June 29, 2026 at 21:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Safari, iOS, iPadOS, and macOS to version 26.5.2 or later.
  • Apply the latest OS updates to all managed Apple devices to ensure the fix is deployed across the environment.
  • Educate users to avoid visiting untrusted websites and to use safe browsing practices to reduce exposure to malicious content.

Generated by OpenCVE AI on June 29, 2026 at 21:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 29 Jun 2026 22:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-346
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 29 Jun 2026 21:45:00 +0000

Type Values Removed Values Added
Title Cross‑Origin Information Disclosure in Apple Browsers and Operating Systems
Weaknesses CWE-200

Mon, 29 Jun 2026 20:15:00 +0000

Type Values Removed Values Added
Description A cross-origin issue was addressed with improved tracking of security origins. This issue is fixed in Safari 26.5.2, iOS 26.5.2 and iPadOS 26.5.2, macOS Tahoe 26.5.2. Processing maliciously crafted web content may disclose sensitive user information.
References

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: apple

Published:

Updated: 2026-06-29T21:36:30.506Z

Reserved: 2026-05-01T22:46:21.643Z

Link: CVE-2026-43700

cve-icon Vulnrichment

Updated: 2026-06-29T21:36:24.108Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-29T21:30:03Z

Weaknesses
  • CWE-200

    Exposure of Sensitive Information to an Unauthorized Actor

  • CWE-346

    Origin Validation Error