Description
The issue was addressed with improved checks. This issue is fixed in Safari 26.5.2, iOS 26.5.2 and iPadOS 26.5.2, macOS Tahoe 26.5.2. A malicious website may exfiltrate data cross-origin.
Published: 2026-06-29
Score: n/a
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability allowed a malicious website to bypass the browser’s same‑origin policy, enabling exfiltration of data that resides on other origins in the victim’s browser. This privacy leak could reveal sensitive information such as cookies, local storage entries, or other user data that should remain isolated between websites. The weakness is reflected in the CWE‑1021 classification for improper CORS handling and applies to Apple WebKit components.

Affected Systems

Apple Safari, iOS, iPadOS and macOS Tahoe are impacted. The issue existed in versions preceding Safari 26.5.2, iOS 26.5.2, iPadOS 26.5.2 and macOS Tahoe 26.5.2. The fix was delivered in those 26.5.2 releases for all listed products.

Risk and Exploitability

EPSS score is not available and the vulnerability is not listed in the CISA KEV catalog, indicating no confirmed exploitation to date. The likely attack vector is a user visiting a malicious or compromised website that can read data cross‑origin; no elevated privileges or network control appear required. While the CVSS score is not provided, the privacy impact of leaking data across origins represents a moderate to high risk if exploited, and with no known public exploits the current threat level is considered moderate until a new exploit emerges.

Generated by OpenCVE AI on June 29, 2026 at 21:41 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade all Apple devices to Safari 26.5.2, iOS 26.5.2, iPadOS 26.5.2 or macOS Tahoe 26.5.2, which add the missing checks that prevent cross‑origin data access.
  • On managed systems, enforce a strict WebKit Content Security Policy or control Access‑Control‑Allow‑Origin headers to limit cross‑origin requests until the update is applied.
  • Review any third‑party web content or web‑view components for improper CORS configuration and correct them if necessary.

Generated by OpenCVE AI on June 29, 2026 at 21:41 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 29 Jun 2026 22:00:00 +0000

Type Values Removed Values Added
Title Apple Safari and iOS Cross‑Origin Data Exfiltration Vulnerability
Weaknesses CWE-1021
CWE-79

Mon, 29 Jun 2026 20:15:00 +0000

Type Values Removed Values Added
Description The issue was addressed with improved checks. This issue is fixed in Safari 26.5.2, iOS 26.5.2 and iPadOS 26.5.2, macOS Tahoe 26.5.2. A malicious website may exfiltrate data cross-origin.
References

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: apple

Published:

Updated: 2026-06-29T19:42:44.758Z

Reserved: 2026-05-01T22:46:21.646Z

Link: CVE-2026-43735

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-29T21:45:04Z

Weaknesses
  • CWE-1021

    Improper Restriction of Rendered UI Layers or Frames

  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')