CVE-2025-31266 — User Interface (UI) Misrepresentation of Critical Information in Apple Macos

CWE-451 — User Interface (UI) Misrepresentation of Critical Information5 documents4 sources

Severity

4.3MEDIUMNVD

EPSS

0.0%

top 92.59%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Apple Macos Apple Safari

Timeline

PublishedNov 21

Latest updateNov 22

Description

A spoofing issue was addressed with improved truncation when displaying the fully qualified domain name. This issue is fixed in Safari 18.5, macOS Sequoia 15.5. A website may be able to spoof the domain name in the title of a pop-up window.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:LExploitability: 2.8 | Impact: 1.4

Affected Packages4 packages

▶CVEListV5apple/macos< 15.5

▶NVDapple/macos< 15.5

▶CVEListV5apple/safari< 18.5

▶NVDapple/safari< 18.5

🔴Vulnerability Details

GHSA

GHSA-3x9f-jgfq-gjmx: A spoofing issue was addressed with improved truncation when displaying the fully qualified domain name This issue is fixed in Safari 18↗2025-11-22

▶

CVEList

CVE-2025-31266: A spoofing issue was addressed with improved truncation when displaying the fully qualified domain name↗2025-11-21

▶

📋Vendor Advisories

Apple

CVE-2025-31266: macOS Sequoia 15.5↗2025-05-12

▶

Apple

CVE-2025-31266: Safari 18.5↗2025-05-12

▶