High severity7.5NVD Advisory· Published Feb 11, 2026· Updated Apr 2, 2026

CVE-2026-20660

Description

A path handling issue was addressed with improved logic. This issue is fixed in Safari 26.3, iOS 18.7.5 and iPadOS 18.7.5, iOS 26.3 and iPadOS 26.3, macOS Sequoia 15.7.5, macOS Sonoma 14.8.4, macOS Tahoe 26.3, visionOS 26.3. A remote user may be able to write arbitrary files.

Affected products

Apple Inc./Safari
cpe:2.3:a:apple:safari:*:*:*:*:*:*:*:*
Range: <26.3
Apple Inc./Ipados
cpe:2.3:o:apple:ipados:*:*:*:*:*:*:*:*
Range: <18.7.5
Apple Inc./Iphone Os
cpe:2.3:o:apple:iphone_os:*:*:*:*:*:*:*:*
Range: <18.7.5
Apple Inc./macOS
cpe:2.3:o:apple:macos:*:*:*:*:*:*:*:*
Range: <14.8.4
Apple Inc./Visionos
cpe:2.3:o:apple:visionos:*:*:*:*:*:*:*:*
Range: <26.3

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

support.apple.com/en-us/126346nvdRelease NotesVendor Advisory
support.apple.com/en-us/126347nvdRelease NotesVendor Advisory
support.apple.com/en-us/126348nvdRelease NotesVendor Advisory
support.apple.com/en-us/126350nvdRelease NotesVendor Advisory
support.apple.com/en-us/126353nvdRelease NotesVendor Advisory
support.apple.com/en-us/126354nvdRelease NotesVendor Advisory
support.apple.com/en-us/126795nvd

News mentions

Today's Odd Web Requests, (Wed, Apr 29th)
SANS Internet Storm Center · Apr 29, 2026
HTTP Requests with X-Vercel-Set-Bypass-Cookie Header, (Tue, Apr 28th)
SANS Internet Storm Center · Apr 28, 2026
Attackers Actively Exploiting Critical Vulnerability in Ninja Forms – File Upload Plugin
Wordfence Blog · Apr 16, 2026

cvss	0.488
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000