CVE-2025-43526
BaseFortify
Publication date: 2025-12-17
Last updated on: 2026-04-02
Assigner: Apple Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| apple | safari | to 26.2 (exc) |
| apple | macos | to 26.2 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-601 | The web application accepts a user-controlled input that specifies a link to an external site, and uses that link in a redirect. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability involves improper URL validation in macOS Tahoe and Safari, where web content opened via a file URL on a Mac with Lockdown Mode enabled may be able to access Web APIs that should be restricted. This issue was fixed by improving URL validation in macOS Tahoe 26.2 and Safari 26.2.
How can this vulnerability impact me? :
The vulnerability could allow web content opened from file URLs to use Web APIs that are supposed to be restricted under Lockdown Mode, potentially leading to unauthorized access or actions that compromise system security or user privacy.
What immediate steps should I take to mitigate this vulnerability?
Update your macOS to version Tahoe 26.2 and Safari to version 26.2, as these versions include the fix with improved URL validation. Additionally, ensure that Lockdown Mode is enabled on your Mac to help restrict web content opened via file URLs.