CVE-2026-20660

HIGH

macOS Tahoe <26.3 - Info Disclosure

Title source: llm

Exploitation Summary

EIP tracks 2 public exploits for CVE-2026-20660. PoCs published by XiaomingX, retX0.

AI-analyzed exploit summary This repository contains a functional proof-of-concept exploit for CVE-2026-20660, which leverages a path traversal vulnerability in CFNetwork's NSGZipDecoder via malicious gzip FNAME headers. The exploit demonstrates arbitrary file write capabilities on vulnerable macOS Safari versions with auto-open enabled.

Description

A path handling issue was addressed with improved logic. This issue is fixed in Safari 26.3, iOS 18.7.5 and iPadOS 18.7.5, iOS 26.3 and iPadOS 26.3, macOS Sequoia 15.7.5, macOS Sonoma 14.8.4, macOS Tahoe 26.3, visionOS 26.3. A remote user may be able to write arbitrary files.

Exploits (2)

github WORKING POC 10 stars

by XiaomingX · pythonpoc

https://github.com/XiaomingX/data-cve-poc-py-v1/tree/main/2026/CVE-2026-20660

View Code ZIP pw:eip

This repository contains a functional proof-of-concept exploit for CVE-2026-20660, which leverages a path traversal vulnerability in CFNetwork's NSGZipDecoder via malicious gzip FNAME headers. The exploit demonstrates arbitrary file write capabilities on vulnerable macOS Safari versions with auto-open enabled.

Classification

Working Poc 95%

Attack Type

Other

Complexity

Moderate

Reliability

Reliable

Target: macOS Safari (before 26.3 patch line)

No auth needed

Prerequisites: Vulnerable macOS Safari version · Safari setting 'Open safe files after downloading' enabled · Network access to the target browser

MITRE ATT&CK

T1190 - Exploit Public-Facing Application

devstral-2 · analyzed Mar 17, 2026 Full analysis →

nomisec WORKING POC

by retX0 · poc

https://github.com/retX0/CVE-2026-20660