CVE-2026-28861
Description
A logic issue was addressed with improved state management. This issue is fixed in Safari 26.4, iOS 18.7.7 and iPadOS 18.7.7, iOS 26.4 and iPadOS 26.4, macOS Tahoe 26.4, visionOS 26.4. A malicious website may be able to access script message handlers intended for other origins.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A logic issue in Safari allowed a malicious website to access script message handlers from other origins, potentially leaking cross-origin data.
Vulnerability
A logic issue in Safari's state management could allow a malicious website to access script message handlers intended for other origins. This cross-origin violation arises from improper handling of script message handler registrations, enabling the attacker to intercept or manipulate messages meant for different web origins.
Exploitation
Exploitation requires no special privileges or user interaction beyond visiting a malicious website. The attacker can craft a web page that sends script messages to handlers registered by legitimate origins, bypassing same-origin restrictions. This affects Safari on various Apple platforms including iOS, iPadOS, macOS, and visionOS.
Impact
An attacker could read or modify messages sent to script message handlers from other origins, potentially leading to data leakage, session hijacking, or unauthorized actions on behalf of the user. The severity is medium (CVSS 4.3) due to the need for user interaction and network access.
Mitigation
The issue is fixed in Safari 26.4, iOS 18.7.7 and iPadOS 18.7.7, iOS 26.4 and iPadOS 26.4, macOS Tahoe 26.4, and visionOS 26.4 [1][2][3][4]. Users are advised to update to the latest versions to mitigate the risk.
AI Insight generated on May 18, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
12cpe:2.3:a:apple:safari:*:*:*:*:*:*:*:*+ 2 more
- cpe:2.3:a:apple:safari:*:*:*:*:*:*:*:*range: <26.4
- (no CPE)range: <26.4
- (no CPE)range: 0
cpe:2.3:o:apple:macos:*:*:*:*:*:*:*:*+ 1 more
- cpe:2.3:o:apple:macos:*:*:*:*:*:*:*:*range: <26.4
- (no CPE)range: 0
cpe:2.3:o:apple:visionos:*:*:*:*:*:*:*:*+ 1 more
- cpe:2.3:o:apple:visionos:*:*:*:*:*:*:*:*range: <26.4
- (no CPE)range: 0
- Range: <18.7.7
- Range: <26.4
- Apple/iOS and iPadOSv5Range: 0
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
5- support.apple.com/en-us/126792nvdRelease NotesVendor Advisory
- support.apple.com/en-us/126793nvdRelease NotesVendor Advisory
- support.apple.com/en-us/126794nvdRelease NotesVendor Advisory
- support.apple.com/en-us/126799nvdRelease NotesVendor Advisory
- support.apple.com/en-us/126800nvdRelease NotesVendor Advisory
News mentions
22- SHub macOS infostealer variant spoofs Apple security updatesBleepingComputer · May 18, 2026
- Windows 11 and Microsoft Edge hacked at Pwn2Own Berlin 2026BleepingComputer · May 14, 2026
- Fake Claude search results lure Mac users into ClickFix attackMalwarebytes Labs · May 12, 2026
- Apple Patches Dozens of Vulnerabilities in macOS, iOSSecurityWeek · May 12, 2026
- ZDI-26-312: Apple Safari Web Inspector WebCore Style Resolver Use-After-Free Remote Code Execution VulnerabilityZero Day Initiative · May 12, 2026
- ZDI-26-313: Apple Safari Regular Expression Duplicate Named Groups Heap-based Buffer Overflow Remote Code Execution VulnerabilityZero Day Initiative · May 12, 2026
- Apple Patches Everything, (Mon, May 11th)SANS Internet Storm Center · May 11, 2026
- Threat Brief: Exploitation of PAN-OS Captive Portal Zero-Day for Unauthenticated Remote Code ExecutionUnit 42 · May 7, 2026
- Attackers Actively Exploiting Critical Vulnerability in Breeze Cache PluginWordfence Blog · May 5, 2026
- CloudZ RAT potentially steals OTP messages using Pheno pluginCisco Talos Intelligence · May 5, 2026
- visionOS 26.5 RC (23O471)Apple Security Releases · May 4, 2026
- Open-source privacy proxy masks PII before prompts reach external AI servicesHelp Net Security · May 1, 2026
- SAP-Related npm Packages Compromised in Credential-Stealing Supply Chain AttackThe Hacker News · Apr 29, 2026
- Today's Odd Web Requests, (Wed, Apr 29th)SANS Internet Storm Center · Apr 29, 2026
- HTTP Requests with X-Vercel-Set-Bypass-Cookie Header, (Tue, Apr 28th)SANS Internet Storm Center · Apr 28, 2026
- visionOS 26.5 beta 4 (23O5468a)Apple Security Releases · Apr 27, 2026
- Attackers Actively Exploiting Critical Vulnerability in Ninja Forms – File Upload PluginWordfence Blog · Apr 16, 2026
- The Good, the Bad and the Ugly in Cybersecurity – Week 15SentinelOne Labs · Apr 10, 2026
- 30th March – Threat Intelligence ReportCheck Point Research · Mar 30, 2026
- Risky Business #830 -- LiteLLM and security scanner supply chains compromisedRisky Business · Mar 25, 2026
- visionOS 26.4 (23O247)Apple Security Releases · Mar 24, 2026
- Siemens SIMATICCISA Alerts