CVE-2026-28861

State: PUBLISHED · Published: 2026-03-25 · Updated: 2026-04-02 · Assigner: apple

Description

A logic issue was addressed with improved state management. This issue is fixed in Safari 26.4, iOS 18.7.7 and iPadOS 18.7.7, iOS 26.4 and iPadOS 26.4, macOS Tahoe 26.4, visionOS 26.4. A malicious website may be able to access script message handlers intended for other origins.

CWE

(none)

Affected

Apple / Safari — v=0 <26.4 [affected]
Apple / iOS and iPadOS — v=0 <18.7.7 [affected]; v=0 <26.4 [affected]
Apple / macOS — v=0 <26.4 [affected]
Apple / visionOS — v=0 <26.4 [affected]

CVSS

(none)

References

https://support.apple.com/en-us/126792
https://support.apple.com/en-us/126793
https://support.apple.com/en-us/126794
https://support.apple.com/en-us/126799
https://support.apple.com/en-us/126800

Source

cvelistV5-main/cves/2026/28xxx/CVE-2026-28861.json