Description
A path handling issue was addressed with improved validation. This issue is fixed in Safari 26.5.2, iOS 26.5.2 and iPadOS 26.5.2, macOS Tahoe 26.5.2. Processing maliciously crafted web content may disclose sensitive user information.
Published: 2026-06-29
Score: 6.5 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The CVE describes a path handling issue that allows maliciously crafted web content to be processed in a way that may disclose sensitive user information. The vulnerability is identified as an improper limitation of a pathname, corresponding to CWE‑22. This flaw causes the operating system or browser to incorrectly validate file paths, potentially exposing confidential data to an attacker when a compromised website or file is accessed.

Affected Systems

Apple Safari on macOS, iOS, and iPadOS are affected when running version 26.5.2 or earlier. The issue is fixed in Safari 26.5.2, iOS 26.5.2, iPadOS 26.5.2, and macOS Tahoe 26.5.2. Devices running earlier releases expose user data via the vulnerable path handling logic.

Risk and Exploitability

EPSS data for this vulnerability is not available and it is not listed in the CISA KEV catalog, implying that the current risk of exploitation is unknown but potentially low to moderate. The most likely attack vector is the delivery of malicious web content through Safari, which could trigger the path handling flaw and leak sensitive data.

Generated by OpenCVE AI on June 29, 2026 at 21:40 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update all Apple Safari, iOS, iPadOS, and macOS devices to version 26.5.2 or later to apply the path handling fix.
  • Implement an automated device update policy that ensures the latest security patches are installed promptly, preventing exposure to the vulnerability.
  • Use enterprise content filtering or web security tools to restrict malicious web content until the update propagates, thereby reducing the risk of exploitation via Safari.

Generated by OpenCVE AI on June 29, 2026 at 21:40 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 29 Jun 2026 22:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 29 Jun 2026 22:00:00 +0000

Type Values Removed Values Added
Title Path Handling Vulnerability in Apple Safari Enables Sensitive Information Disclosure
Weaknesses CWE-22

Mon, 29 Jun 2026 20:15:00 +0000

Type Values Removed Values Added
Description A path handling issue was addressed with improved validation. This issue is fixed in Safari 26.5.2, iOS 26.5.2 and iPadOS 26.5.2, macOS Tahoe 26.5.2. Processing maliciously crafted web content may disclose sensitive user information.
References

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: apple

Published:

Updated: 2026-06-29T21:30:55.046Z

Reserved: 2026-05-01T22:46:21.646Z

Link: CVE-2026-43732

cve-icon Vulnrichment

Updated: 2026-06-29T21:30:50.434Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-29T21:45:04Z

Weaknesses
  • CWE-22

    Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')