CVE-2025-43480 — Permissive Cross-domain Security Policy with Untrusted Domains in Apple IOS AND Ipados

CWE-942 — Permissive Cross-domain Security Policy with Untrusted Domains CWE-200 — Sensitive Information Exposure13 documents7 sources

Severity

8.1HIGHNVD

EPSS

0.0%

top 88.43%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Apple IOS AND Ipados Apple Macos Apple Safari +5 more

Timeline

PublishedNov 4

Latest updateNov 20

Description

The issue was addressed with improved checks. This issue is fixed in Safari 26.1, iOS 26.1 and iPadOS 26.1, macOS Tahoe 26.1, tvOS 26.1, visionOS 26.1, watchOS 26.1. A malicious website may exfiltrate data cross-origin.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:NExploitability: 2.8 | Impact: 5.2

Affected Packages12 packages

▶CVEListV5apple/tvos< 26.1

▶NVDapple/tvos< 26.1

▶CVEListV5apple/macos< 26.1

▶CVEListV5apple/safari< 26.1

▶NVDapple/ipados< 26.1

🔴Vulnerability Details

OSV

CVE-2025-43480: The issue was addressed with improved checks↗2025-11-04

▶

OSV

CVE-2025-43480: The issue was addressed with improved checks↗2025-11-04

▶

CVEList

CVE-2025-43480: The issue was addressed with improved checks↗2025-11-04

▶

GHSA

GHSA-wg34-qg7p-mhvv: The issue was addressed with improved checks↗2025-11-04

▶

📋Vendor Advisories

Red Hat

webkitgtk: A malicious website may exfiltrate data cross-origin↗2025-11-20

▶

Apple

CVE-2025-43480: Safari 26.1↗2025-11-03

▶

Apple

CVE-2025-43480: watchOS 26.1↗2025-11-03

▶

Apple

CVE-2025-43480: tvOS 26.1↗2025-11-03

▶

Apple

CVE-2025-43480: iOS 26.1 and iPadOS 26.1↗2025-11-03

▶