CVE-2026-20643

MEDIUM EPSS 27.3%

Published Mar 17, 20263mo ago · Modified Jun 17, 20261w ago

5.4 CVSS 3.1

Medium

Published Mar 17, 2026 3mo ago

Last Modified Jun 17, 2026 1w ago

Description

A cross-origin issue in the Navigation API was addressed with improved input validation. This issue is fixed in Background Security Improvements for iOS, iPadOS, and macOS, Safari 26.4, iOS 18.7.7 and iPadOS 18.7.7, iOS 26.4 and iPadOS 26.4, macOS Tahoe 26.4, visionOS 26.4. Processing maliciously crafted web content may bypass Same Origin Policy.

CVSS Details

Base Score

5.4

Exploitability

2.8

Impact

2.5

Vector string

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N

Attack Vector Network

Attack Complexity Low

Privileges Required None

User Interaction Required

Scope Unchanged

Confidentiality Low

Integrity Low

Availability None

Threat Intelligence

EPSS Exploit Probability

27.3% percentile

Exploit & Patch Status

No Known Exploit

No Patch Available

Weaknesses 2

CWE-20 Improper Input Validation Validation

CWE-346

Affected Products 3

Vendor	Product	Version	Range
apple	ipados	*	<26.3.1
apple	iphone_os	*	<26.3.1
apple	macos	*	<26.3.1

References 7

seclists.org http://seclists.org/fulldisclosure/2026/Mar/10
support.apple.com https://support.apple.com/en-us/126604

Release NotesVendor Advisory
support.apple.com https://support.apple.com/en-us/126792
support.apple.com https://support.apple.com/en-us/126793
support.apple.com https://support.apple.com/en-us/126794
support.apple.com https://support.apple.com/en-us/126799
support.apple.com https://support.apple.com/en-us/126800

Remediation

No remediation data recorded yet

Check vendor advisories and the NVD entry for patch availability.