Medium severity5.3NVD Advisory· Published Feb 11, 2026· Updated Apr 2, 2026

CVE-2026-20676

Description

This issue was addressed through improved state management. This issue is fixed in Safari 26.3, iOS 26.3 and iPadOS 26.3, macOS Tahoe 26.3, visionOS 26.3. A website may be able to track users through Safari web extensions.

Affected products

Apple Inc./Safari
cpe:2.3:a:apple:safari:*:*:*:*:*:*:*:*
Range: <26.3
Apple Inc./Ipados
cpe:2.3:o:apple:ipados:*:*:*:*:*:*:*:*
Range: <26.3
Apple Inc./Iphone Os
cpe:2.3:o:apple:iphone_os:*:*:*:*:*:*:*:*
Range: <26.3
Apple Inc./macOS
cpe:2.3:o:apple:macos:*:*:*:*:*:*:*:*
Range: <26.3
Apple Inc./Visionos
cpe:2.3:o:apple:visionos:*:*:*:*:*:*:*:*
Range: <26.3

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

support.apple.com/en-us/126346nvdRelease NotesVendor Advisory
support.apple.com/en-us/126348nvdRelease NotesVendor Advisory
support.apple.com/en-us/126353nvdRelease NotesVendor Advisory
support.apple.com/en-us/126354nvdRelease NotesVendor Advisory

News mentions

visionOS 26.5 RC (23O471)
Apple Security Releases · May 4, 2026
Today's Odd Web Requests, (Wed, Apr 29th)
SANS Internet Storm Center · Apr 29, 2026
HTTP Requests with X-Vercel-Set-Bypass-Cookie Header, (Tue, Apr 28th)
SANS Internet Storm Center · Apr 28, 2026
visionOS 26.5 beta 4 (23O5468a)
Apple Security Releases · Apr 27, 2026
Attackers Actively Exploiting Critical Vulnerability in Ninja Forms – File Upload Plugin
Wordfence Blog · Apr 16, 2026
visionOS 26.4 (23O247)
Apple Security Releases · Mar 24, 2026

cvss	0.345
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000