CVE-2026-20643

CWE-20Improper Input ValidationCWE-3469 documents9 sources
Severity
5.4MEDIUM
EPSS
0.0%
top 90.36%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
6
Apple IOS AND IpadosApple MacosApple Safari+3 more
Timeline
PublishedMar 17
Latest updateMar 30

Description

A cross-origin issue in the Navigation API was addressed with improved input validation. This issue is fixed in Background Security Improvements for iOS, iPadOS, and macOS, Safari 26.4, iOS 18.7.7 and iPadOS 18.7.7, iOS 26.4 and iPadOS 26.4, macOS Tahoe 26.4, visionOS 26.4. Processing maliciously crafted web content may bypass Same Origin Policy.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:NExploitability: 2.8 | Impact: 2.5

Affected Packages8 packages

NVDapple/ipados< 26.3.1
CVEListV5apple/ios_and_ipados< 18.7.7+2
CVEListV5apple/macos< 26.3.1 (a)+2
NVDapple/macos< 26.3.1
CVEListV5apple/safari< 26.4

🔴Vulnerability Details

3
GHSA
GHSA-gvvx-mjmx-h5qh: A cross-origin issue in the Navigation API was addressed with improved input validation2026-03-18
OSV
CVE-2026-20643: A cross-origin issue in the Navigation API was addressed with improved input validation2026-03-17
CVEList
CVE-2026-20643: A cross-origin issue in the Navigation API was addressed with improved input validation2026-03-17

📋Vendor Advisories

3
Red Hat
webkitgtk: Processing maliciously crafted web content may bypass Same Origin Policy2026-03-28
Apple
CVE-2026-20643: Background Security Improvements for iOS 26.3.1, iPadOS 26.3.1, macOS 26.3.1, and macOS 26.3.22026-03-17
Debian
CVE-2026-20643: webkit2gtk - A cross-origin issue in the Navigation API was addressed with improved input val...2026

🕵️Threat Intelligence

1
Wiz
CVE-2026-20643 Impact, Exploitability, and Mitigation Steps | Wiz

💬Community

1
Bugzilla
CVE-2026-20643 webkitgtk: Processing maliciously crafted web content may bypass Same Origin Policy [fedora-all]2026-03-30
CVE-2026-20643 (MEDIUM CVSS 5.4) | A cross-origin issue in the Navigat | cvebase.io