Low severity3.3NVD Advisory· Published Feb 11, 2026· Updated Apr 2, 2026

CVE-2026-20656

Description

A logic issue was addressed with improved validation. This issue is fixed in Safari 26.3, iOS 18.7.5 and iPadOS 18.7.5, macOS Tahoe 26.3. An app may be able to access a user's Safari history.

Affected products

Apple Inc./Safari
cpe:2.3:a:apple:safari:*:*:*:*:*:*:*:*
Range: <26.3
Apple Inc./Ipados
cpe:2.3:o:apple:ipados:*:*:*:*:*:*:*:*
Range: <18.7.5
Apple Inc./Iphone Os
cpe:2.3:o:apple:iphone_os:*:*:*:*:*:*:*:*
Range: <18.7.5
Apple Inc./macOS
cpe:2.3:o:apple:macos:*:*:*:*:*:*:*:*
Range: <26.3

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

support.apple.com/en-us/126347nvdRelease NotesVendor Advisory
support.apple.com/en-us/126348nvdRelease NotesVendor Advisory
support.apple.com/en-us/126354nvdRelease NotesVendor Advisory

News mentions

Today's Odd Web Requests, (Wed, Apr 29th)
SANS Internet Storm Center · Apr 29, 2026
HTTP Requests with X-Vercel-Set-Bypass-Cookie Header, (Tue, Apr 28th)
SANS Internet Storm Center · Apr 28, 2026
Attackers Actively Exploiting Critical Vulnerability in Ninja Forms – File Upload Plugin
Wordfence Blog · Apr 16, 2026

cvss	0.214
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000