CVE-2026-28861
Modified Modified - Updated After Analysis
Cross-Origin Script Message Handler Access in Safari and iOS

Publication date: 2026-03-25

Last updated on: 2026-05-10

Assigner: Apple Inc.

Description
A logic issue was addressed with improved state management. This issue is fixed in Safari 26.4, iOS 18.7.7 and iPadOS 18.7.7, iOS 26.4 and iPadOS 26.4, macOS Tahoe 26.4, visionOS 26.4. A malicious website may be able to access script message handlers intended for other origins.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-25
Last Modified
2026-05-10
Generated
2026-06-16
AI Q&A
2026-03-25
EPSS Evaluated
2026-06-15
NVD
CVE-2026-28861
EUVD
EUVD-2026-15135
Affected Vendors & Products
Showing 7 associated CPEs
Vendor Product Version / Range
apple ipados to 18.7.7 (exc)
apple ipados From 26.0 (inc) to 26.4 (exc)
apple iphone_os to 18.7.7 (exc)
apple iphone_os From 26.0 (inc) to 26.4 (exc)
apple visionos to 26.4 (exc)
apple macos to 26.4 (exc)
apple safari to 26.4 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability is a logic issue related to state management in certain Apple operating systems and Safari browser versions. It allows a malicious website to potentially access script message handlers that are intended for other origins, which means that scripts from one website could interfere with or access data from another website.

Impact Analysis

The impact of this vulnerability is that a malicious website could exploit it to access script message handlers meant for other websites. This could lead to unauthorized access to information or interference between websites, potentially compromising user data or security when browsing.

Compliance Impact

I don't know

Detection Guidance

I don't know

Mitigation Strategies

To mitigate this vulnerability, update affected Apple software to the fixed versions: Safari 26.4, iOS 18.7.7 and iPadOS 18.7.7, iOS 26.4 and iPadOS 26.4, macOS Tahoe 26.4, and visionOS 26.4.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-28861. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart