{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-28871", "assignerOrgId": "286789f9-fbc2-4510-9f9a-43facdede74c", "state": "PUBLISHED", "assignerShortName": "apple", "dateReserved": "2026-03-03T16:36:03.974Z", "datePublished": "2026-03-25T00:31:33.483Z", "dateUpdated": "2026-03-25T00:31:33.483Z"}, "containers": {"cna": {"problemTypes": [{"descriptions": [{"lang": "en", "description": "Visiting a maliciously crafted website may lead to a cross-site scripting attack"}]}], "affected": [{"vendor": "Apple", "product": "Safari", "versions": [{"version": "0", "status": "affected", "lessThan": "26.4", "versionType": "custom"}]}, {"vendor": "Apple", "product": "iOS and iPadOS", "versions": [{"version": "0", "status": "affected", "lessThan": "18.7.7", "versionType": "custom"}, {"version": "0", "status": "affected", "lessThan": "26.4", "versionType": "custom"}]}, {"vendor": "Apple", "product": "macOS", "versions": [{"version": "0", "status": "affected", "lessThan": "26.4", "versionType": "custom"}]}], "descriptions": [{"lang": "en", "value": "A logic issue was addressed with improved checks. This issue is fixed in Safari 26.4, iOS 18.7.7 and iPadOS 18.7.7, iOS 26.4 and iPadOS 26.4, macOS Tahoe 26.4. Visiting a maliciously crafted website may lead to a cross-site scripting attack."}], "references": [{"url": "https://support.apple.com/en-us/126792"}, {"url": "https://support.apple.com/en-us/126793"}, {"url": "https://support.apple.com/en-us/126794"}, {"url": "https://support.apple.com/en-us/126800"}], "providerMetadata": {"orgId": "286789f9-fbc2-4510-9f9a-43facdede74c", "shortName": "apple", "dateUpdated": "2026-03-25T00:31:33.483Z"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "A logic issue was addressed with improved checks. This issue is fixed in Safari 26.4, iOS 18.7.7 and iPadOS 18.7.7, iOS 26.4 and iPadOS 26.4, macOS Tahoe 26.4. Visiting a maliciously crafted website may lead to a cross-site scripting attack."}], "id": "CVE-2026-28871", "lastModified": "2026-03-25T15:41:33.977", "metrics": {}, "published": "2026-03-25T01:17:11.110", "references": [{"source": "product-security@apple.com", "url": "https://support.apple.com/en-us/126792"}, {"source": "product-security@apple.com", "url": "https://support.apple.com/en-us/126793"}, {"source": "product-security@apple.com", "url": "https://support.apple.com/en-us/126794"}, {"source": "product-security@apple.com", "url": "https://support.apple.com/en-us/126800"}], "sourceIdentifier": "product-security@apple.com", "vulnStatus": "Awaiting Analysis"}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,18.7.7)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,26.4)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "iOS and iPadOS", "source": "cna", "vendor": "Apple"}, "product": "ios_and_ipados", "vendor": "apple"}, {"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,26.4)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "macOS", "source": "cna", "vendor": "Apple"}, "product": "macos", "vendor": "apple"}, {"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,26.4)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "Safari", "source": "cna", "vendor": "Apple"}, "product": "safari", "vendor": "apple"}], "analysis": {"en": {"generated_at": "2026-03-26T14:56:12.888484+00:00", "value": {"mitigation_remediation": ["Apply the Apple-provided updates: upgrade Safari to 26.4, iOS to 18.7.7 and 26.4, iPadOS to 18.7.7 and 26.4, and macOS Tahoe to 26.4.", "Enable automatic system updates and verify that the patch has been installed.", "If updating is not immediately possible, consider disabling JavaScript in Safari or using a content\u2011filtering extension to block suspicious sites."], "summary": {"action": "Immediate Patch", "impact": "Cross\u2011Site Scripting"}, "threat_synthesis": {"affected_systems": "The bug affects versions of Safari, iOS, iPadOS, and macOS Tahoe that are older than the patched releases listed: Safari 26.4, iOS 18.7.7 and 26.4, iPadOS 18.7.7 and 26.4, and macOS Tahoe 26.4. The issue is fixed in those specific updates and newer releases thereafter.", "description_and_impact": "The vulnerability is a logic flaw that allows a maliciously crafted webpage to instruct Safari, iOS, or macOS to execute JavaScript without proper validation. An attacker can trick a user into accessing a malicious site and run arbitrary scripts, potentially compromising credentials, session data, or other sensitive information. The weakness aligns with reflected or stored XSS weaknesses.", "risk_and_exploitability": "The EPSS score is under 1\u202f% and the CVE is not listed in KEV, indicating a low to moderate exploitation likelihood. However, the flaw presents a remote execution vector for end users through a crafted webpage. An attacker can deliver the malicious content via phishing or compromised domains. Because the failure stems from a logic issue rather than a memory corruption or privilege escalation, it typically requires only user interaction to trigger. The CVSS score is not provided, but the potential impact on confidentiality and integrity is considerable."}}}}, "created": "2026-03-25T11:37:08.461324+00:00", "title": "Cross\u2011Site Scripting Vulnerability in Safari and Apple Mobile Platforms", "updated": "2026-03-27T09:20:23.698507+00:00", "vendors": ["apple", "apple$PRODUCT$ios_and_ipados", "apple$PRODUCT$macos", "apple$PRODUCT$safari"], "weaknesses": ["CWE-79"]}