Description
The issue was addressed with improved input validation. This issue is fixed in Safari 26.5.2, iOS 26.5.2 and iPadOS 26.5.2, macOS Tahoe 26.5.2. A malicious website may exfiltrate data cross-origin.
Published: 2026-06-29
Score: 4.3 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A vulnerability in Apple web browsers allows a malicious website to exfiltrate data across origins by exploiting insufficient input validation. The flaw can compromise the confidentiality of any data a user has stored in the browser or associated with that origin, as the attacker can request and transmit the data to a domain they control. This is essentially an input validation failure that enables a classical data‑leakage attack.

Affected Systems

Apple Safari, iOS, iPadOS and macOS Tahoe run the vulnerability before the release of Safari 26.5.2, iOS 26.5.2, iPadOS 26.5.2 and macOS Tahoe 26.5.2. Versions older than 26.5.2 are affected, and the issue is fixed in the 26.5.2 releases for each platform.

Risk and Exploitability

A malicious website can trigger the flaw by loading a page in the affected browser; no additional privileges or network exploitation are required. EPSS is not available, and the vulnerability is not listed in the CISA KEV catalog, but the lack of those metrics does not reduce its potential severity. The CVSS score is 4.3, indicating a medium level of severity for this client‑side data‑exfiltration flaw.

Generated by OpenCVE AI on June 29, 2026 at 23:54 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade all browsers to the latest available versions—Safari 26.5.2, iOS 26.5.2, iPadOS 26.5.2 or macOS Tahoe 26.5.2
  • After updating, clear Safari’s cache and website data to remove any stored information that could be compromised
  • Enable Safari’s privacy settings to block cross‑site tracking and disable third‑party cookies to reduce cross‑origin data leakage risks

Generated by OpenCVE AI on June 29, 2026 at 23:54 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 30 Jun 2026 00:15:00 +0000

Type Values Removed Values Added
Title Cross‑Origin Data Exfiltration via Input Validation Failure in Apple Web Browsers
Weaknesses CWE-200
CWE-79

Mon, 29 Jun 2026 22:45:00 +0000

Type Values Removed Values Added
Title Cross‑Origin Data Exfiltration via Input Validation Failure in Apple Web Browsers
Weaknesses CWE-200
CWE-79

Mon, 29 Jun 2026 22:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-20
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 29 Jun 2026 20:15:00 +0000

Type Values Removed Values Added
Description The issue was addressed with improved input validation. This issue is fixed in Safari 26.5.2, iOS 26.5.2 and iPadOS 26.5.2, macOS Tahoe 26.5.2. A malicious website may exfiltrate data cross-origin.
References

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: apple

Published:

Updated: 2026-06-29T21:30:12.958Z

Reserved: 2026-05-01T22:46:21.644Z

Link: CVE-2026-43708

cve-icon Vulnrichment

Updated: 2026-06-29T21:30:05.348Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-30T00:00:06Z

Weaknesses
  • CWE-20

    Improper Input Validation