CVE-2026-28871
Cross-Site Scripting in Safari and iOS via Malicious Websites
Publication date: 2026-03-25
Last updated on: 2026-03-30
Assigner: Apple Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| apple | ipados | to 18.7.7 (exc) |
| apple | ipados | From 26.0 (inc) to 26.4 (exc) |
| apple | iphone_os | to 18.7.7 (exc) |
| apple | iphone_os | From 26.0 (inc) to 26.4 (exc) |
| apple | macos | to 26.4 (exc) |
| apple | safari | to 26.4 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is a logic issue in Apple products such as Safari, iOS, iPadOS, and macOS Tahoe. It was addressed by implementing improved checks. The issue could be exploited by visiting a maliciously crafted website, which may lead to a cross-site scripting (XSS) attack.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, update affected Apple products to the fixed versions: Safari 26.4, iOS 18.7.7 and iPadOS 18.7.7, iOS 26.4 and iPadOS 26.4, or macOS Tahoe 26.4.
How can this vulnerability impact me? :
If exploited, this vulnerability can lead to a cross-site scripting attack. This means that an attacker could execute malicious scripts in the context of your browser or device by tricking you into visiting a specially crafted website. This could result in unauthorized actions, data theft, or other malicious activities.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
I don't know