CVE-2026-28861

MEDIUM EPSS 37.8%
Published Mar 25, 20263mo ago · Modified Jun 17, 20261w ago
4.3 CVSS 3.1
Medium
Find Similar
Published Mar 25, 2026 3mo ago
Last Modified Jun 17, 2026 1w ago

Description

A logic issue was addressed with improved state management. This issue is fixed in Safari 26.4, iOS 18.7.7 and iPadOS 18.7.7, iOS 26.4 and iPadOS 26.4, macOS Tahoe 26.4, visionOS 26.4. A malicious website may be able to access script message handlers intended for other origins.

CVSS Details

Base Score
4.3
Exploitability
2.8
Impact
1.4
Vector string
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N
Attack Vector Network
Attack Complexity Low
Privileges Required None
User Interaction Required
Scope Unchanged
Confidentiality Low
Integrity None
Availability None

Threat Intelligence

EPSS Exploit Probability
37.8% percentile
Exploit & Patch Status
No Known Exploit
No Patch Available

Weaknesses 1

CWE-79 Cross-site Scripting Injection

Affected Products 7

VendorProductVersionRange
applesafari* <26.4
appleipados* <18.7.7
appleipados*≥26.0  –  <26.4
appleiphone_os* <18.7.7
appleiphone_os*≥26.0  –  <26.4
applemacos* <26.4
applevisionos* <26.4

References 5

  • support.apple.com https://support.apple.com/en-us/126792
    Release NotesVendor Advisory
  • support.apple.com https://support.apple.com/en-us/126793
    Release NotesVendor Advisory
  • support.apple.com https://support.apple.com/en-us/126794
    Release NotesVendor Advisory
  • support.apple.com https://support.apple.com/en-us/126799
    Release NotesVendor Advisory
  • support.apple.com https://support.apple.com/en-us/126800
    Release NotesVendor Advisory

Remediation

No remediation data recorded yet

Check vendor advisories and the NVD entry for patch availability.