CVE-2026-43700

MEDIUM

Apple Safari - Origin Validation Error

Title source: rule
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2026-43700. PoCs published by dem0ns.

AI-analyzed exploit summary This repository provides a functional PoC for CVE-2026-43700, a cross-origin information leak in WebKit's WebGPU `importExternalTexture` affecting Safari versions prior to 26.5.2. The PoC includes live verification pages demonstrating the vulnerability.

Description

A cross-origin issue was addressed with improved tracking of security origins. This issue is fixed in Safari 26.5.2, iOS 26.5.2 and iPadOS 26.5.2, macOS Tahoe 26.5.2. Processing maliciously crafted web content may disclose sensitive user information.

Exploits (1)

github WORKING POC
by dem0ns · poc
https://github.com/dem0ns/CVE-2026-43700

This repository provides a functional PoC for CVE-2026-43700, a cross-origin information leak in WebKit's WebGPU `importExternalTexture` affecting Safari versions prior to 26.5.2. The PoC includes live verification pages demonstrating the vulnerability.

Classification
Working Poc 90%
Attack Type
Info Leak
Complexity
Moderate
Reliability
Reliable
Target: Safari < 26.5.2
No auth needed
Prerequisites: Safari < 26.5.2 · Access to attacker-controlled verification page
mistral-large-3 · analyzed Jun 30, 2026 Full analysis →

Scores

CVSS v3 6.5
EPSS 0.0015
EPSS Percentile 4.6%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N

CISA SSVC

Vulnrichment
Exploitation none
Automatable no
Technical Impact partial

Details

CWE
CWE-346
Status published
Products (7)
Apple/iOS and iPadOS < 26.5.2
apple/ipados < 26.5.2
apple/iphone_os < 26.5.2
Apple/macOS < 26.5.2
apple/macos < 26.5.2
Apple/Safari < 26.5.2
apple/safari < 26.5.2
Published Jun 29, 2026
Tracked Since Jun 30, 2026