A flaw in Safari, iOS, iPadOS and macOS allows a malicious webpage to silently overwrite the user’s clipboard without visible indication. Once the clipboard contents are replaced, the attacker can capture or modify copy‑paste data used by other applications, causing unauthorized disclosure or tampering of private information.

Apple products including Safari, iOS, iPadOS and macOS Tahoe are affected. The issue was fixed in Safari 26.5.2, iOS 26.5.2, iPadOS 26.5.2 and macOS Tahoe 26.5.2. Based on the patch version information, it is inferred that earlier releases are still vulnerable, though this is an inference.

The exploitation path is a user visiting a malicious website; no special privileges are required beyond normal web browsing. EPSS data is unavailable and the vulnerability is not listed in CISA KEV. The CVSS score is not supplied, but the flaw permits covert data extraction and can undermine confidentiality of sensitive information.