CVE-2025-43526

Published: Dec 17, 2025Modified: Apr 2, 2026

9.8

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Exploitability: 3.9 / Impact: 5.9

Source: 134c704f-9b21-4f2e-91b3-4a467353bcc0 (Secondary)

Description

This issue was addressed with improved URL validation. This issue is fixed in Safari 26.2, macOS Tahoe 26.2. On a Mac with Lockdown Mode enabled, web content opened via a file URL may be able to use Web APIs that should be restricted.

Affected (2)

Products: Apple: Macos, Safari

Apple

2 products

Macos

Safari

Configuration A

2 vulnerable

Vulnerable Software	Affected Versions
Apple Macos	Before 26.2
Apple Safari	Before 26.2

Related CWEs

CWE-601

URL Redirection to Untrusted Site ('Open Redirect')

A web application accepts a user-controlled input that specifies a link to an external site, and uses that link in a Redirect. This simplifies phishing attacks.

References (2)

https://support.apple.com/en-us/125886

Source: product-security@apple.com

Release NotesVendor Advisory

https://support.apple.com/en-us/125892

Source: product-security@apple.com

Release NotesVendor Advisory

Timeline

No history available yet.