CVE-2026-20643

Published: Mar 17, 2026Modified: Mar 25, 2026

5.4

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N

Exploitability: 2.8 / Impact: 2.5

Source: 134c704f-9b21-4f2e-91b3-4a467353bcc0 (Secondary)

Description

A cross-origin issue in the Navigation API was addressed with improved input validation. This issue is fixed in Background Security Improvements for iOS, iPadOS, and macOS, Safari 26.4, iOS 18.7.7 and iPadOS 18.7.7, iOS 26.4 and iPadOS 26.4, macOS Tahoe 26.4, visionOS 26.4. Processing maliciously crafted web content may bypass Same Origin Policy.

Affected (3)

Products: Apple: Ipados, Iphone Os, Macos

3 products

Configuration A

3 vulnerable

Vulnerable Software	Affected Versions
Apple Ipados	Before 26.3.1
Apple Iphone Os	Before 26.3.1
Apple Macos	Before 26.3.1

Related CWEs

Improper Input Validation

The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.

Origin Validation Error

The product does not properly verify that the source of data or communication is valid.

References (7)

https://support.apple.com/en-us/126604

Source: product-security@apple.com

Release NotesVendor Advisory

https://support.apple.com/en-us/126792

Source: product-security@apple.com

https://support.apple.com/en-us/126793

Source: product-security@apple.com

https://support.apple.com/en-us/126794

Source: product-security@apple.com

https://support.apple.com/en-us/126799

Source: product-security@apple.com

https://support.apple.com/en-us/126800

Source: product-security@apple.com

http://seclists.org/fulldisclosure/2026/Mar/10

Source: af854a3a-2127-422b-91ae-364da2661108

Timeline

No history available yet.