CVE-2026-43735

HIGH

Apple Safari - Denial of Service

Title source: rule
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2026-43735. PoCs published by dem0ns.

AI-analyzed exploit summary This repository contains a functional proof-of-concept for CVE-2026-43735, a WebKit cross-origin information leakage vulnerability affecting Safari < 26.5.2. The exploit demonstrates how a cross-origin iframe can access parent DOM elements via NavigateEvent.sourceElement, bypassing same-origin policy.

Description

The issue was addressed with improved checks. This issue is fixed in Safari 26.5.2, iOS 26.5.2 and iPadOS 26.5.2, macOS Tahoe 26.5.2. A malicious website may exfiltrate data cross-origin.

Exploits (1)

nomisec WORKING POC
by dem0ns · poc
https://github.com/dem0ns/CVE-2026-43735

This repository contains a functional proof-of-concept for CVE-2026-43735, a WebKit cross-origin information leakage vulnerability affecting Safari < 26.5.2. The exploit demonstrates how a cross-origin iframe can access parent DOM elements via NavigateEvent.sourceElement, bypassing same-origin policy.

Classification
Working Poc 100%
Attack Type
Info Leak
Complexity
Moderate
Reliability
Reliable
Target: Safari < 26.5.2
No auth needed
Prerequisites: Victim must visit attacker-controlled page with Safari < 26.5.2 · Cross-origin iframe must be loaded in the victim's page
mistral-large-3 · analyzed Jul 01, 2026 Full analysis →

Scores

CVSS v3 8.1
EPSS 0.0016
EPSS Percentile 5.9%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N

CISA SSVC

Vulnrichment
Exploitation none
Automatable no
Technical Impact total

Details

CWE
CWE-352
Status published
Products (7)
Apple/iOS and iPadOS < 26.5.2
apple/ipados < 26.5.2
apple/iphone_os < 26.5.2
Apple/macOS < 26.5.2
apple/macos 26.0 - 26.5.2
Apple/Safari < 26.5.2
apple/safari < 26.5.2
Published Jun 29, 2026
Tracked Since Jun 30, 2026