anonhaven
Ad

CVE-2026-20643

MEDIUM CVSS 3.1: 5.4 EPSS 0.03%
Updated Mar 19, 2026
Apple
Parameter Value
CVSS 5.4 (MEDIUM)
Affected Versions before 26.3.1
Fixed In 26.3.1
Type CWE-346 (Origin Validation Error), CWE-20 (Improper Input Validation)
Vendor Apple
Public PoC No

A cross-origin issue in the Navigation API was addressed with improved input validation. This issue is fixed in Background Security Improvements for iOS 26.3.1, iPadOS 26.3.1, macOS 26.3.1, and macOS 26.3.2. Processing maliciously crafted web content may bypass Same Origin Policy.

Attack Parameters

Attack Vector
Network
Can be exploited remotely
Attack Complexity
Low
Easy to exploit
Privileges Required
None
No privileges needed
User Interaction
Required
User action required

Impact Assessment

Confidentiality
Low
Partial data leak
Integrity
Low
Partial data modification
Availability
None
No disruption

CVSS Vector v3.1

Weakness Type (CWE)

CWE-346 Origin Validation Error
CWE-20 Improper Input Validation

Vulnerable Products 3

Configuration From (including) Up to (excluding)
Apple Ipados
cpe:2.3:o:apple:ipados:*:*:*:*:*:*:*:*
 26.3.1
Apple Iphone_Os
cpe:2.3:o:apple:iphone_os:*:*:*:*:*:*:*:*
 26.3.1
Apple Macos
cpe:2.3:o:apple:macos:*:*:*:*:*:*:*:*
 26.3.1

References 2

https://support.apple.com/en-us/126604
product-security@apple.com
http://seclists.org/fulldisclosure/2026/Mar/10
af854a3a-2127-422b-91ae-364da2661108
Share Post Share Share Share

Related Vulnerabilities

CVE-2026-4464

Microsoft

8.8

CVE-2026-4463

Microsoft

8.8

CVE-2026-4462

Microsoft

8.8

CVE-2026-4461

Microsoft

8.8

CVE-2026-4460

Microsoft

8.8