CVE-2026-20643

MEDIUM

Apple Macos < 26.3.2 (a) - Denial of Service

Title source: rule

Description

A cross-origin issue in the Navigation API was addressed with improved input validation. This issue is fixed in Background Security Improvements for iOS, iPadOS, and macOS, Safari 26.4, iOS 18.7.7 and iPadOS 18.7.7, iOS 26.4 and iPadOS 26.4, macOS Tahoe 26.4, visionOS 26.4. Processing maliciously crafted web content may bypass Same Origin Policy.

Exploits (2)

nomisec WRITEUP
by Fliv · poc
https://github.com/Fliv/CVE-2026-20643
nomisec WRITEUP
by zeroxjf · poc
https://github.com/zeroxjf/WebKit-NavigationAPI-SOP-Bypass

References (7)

Scores

CVSS v3 5.4
EPSS 0.0004
EPSS Percentile 10.9%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N

Details

CWE
CWE-20 CWE-346
Status published
Products (15)
Apple/iOS unspecified - 26.3.1 (a)
Apple/iOS and iPadOS < 18.7.7
Apple/iOS and iPadOS < 26.3.1 (a)
Apple/iOS and iPadOS < 26.4
apple/ipados < 26.3.1
Apple/iPadOS unspecified - 26.3.1 (a)
apple/iphone_os < 26.3.1
apple/macos < 26.3.1
Apple/macOS < 26.3.1 (a)
Apple/macOS < 26.3.2 (a)
... and 5 more
Published Mar 17, 2026
Tracked Since Mar 18, 2026