CVE-2026-20676
Analyzed
Analyzed - Analysis Complete
User Tracking via Safari Web Extensions Due to State Management Flaw
Publication date: 2026-02-11
Last updated on: 2026-04-02
Assigner: Apple Inc.
Description
Description
This issue was addressed through improved state management. This issue is fixed in Safari 26.3, iOS 26.3 and iPadOS 26.3, macOS Tahoe 26.3, visionOS 26.3. A website may be able to track users through Safari web extensions.
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| apple | ipados | to 26.3 (exc) |
| apple | iphone_os | to 26.3 (exc) |
| apple | macos | to 26.3 (exc) |
| apple | visionos | to 26.3 (exc) |
| apple | safari | to 26.3 (exc) |
Helpful Resources
Exploitability
CWE
KEV
| CWE ID | Description |
|---|---|
| CWE-400 | The product does not properly control the allocation and maintenance of a limited resource. |
