Description
The issue was addressed with improved input validation. This issue is fixed in Safari 26.5.2, iOS 26.5.2 and iPadOS 26.5.2, macOS Tahoe 26.5.2. A malicious website may be able to process restricted web content outside the sandbox.
In plain language
AI Worth attentionThis Safari/iPhone/iPad/Mac web-browsing bug could let a malicious website process some “restricted” web content in a way Apple normally blocks; you should update to the fixed versions if you use these devices, because the problem involves visiting a website.
CVE-2026-43725 is a sandbox-bypass weakness (CWE-20) where a malicious website can bypass sandbox restrictions to process restricted web content, fixed in Safari 26.5.2, iOS 26.5.2, iPadOS 26.5.2, and macOS Tahoe 26.5.2.
What to do now
- Check your devices’ software versions and update Safari/iOS/iPadOS/macOS to 26.5.2 or later.
- If you can’t update right away, avoid opening untrusted links in Safari until updates are installed.
- After updating, restart the devices and confirm Safari opens normally and can load your usual sites.
CVSS Vector Breakdown
AV:NAttack VectorAC:LAttack ComplexityPR:NPrivileges RequiredUI:RUser InteractionS:CScopeC:LConfidentialityI:LIntegrityA:LAvailabilityWeaknesses
Affected Products
Exploitability
Attack Graph
Click technique nodes for MITRE ATT&CK details · drag to pan · Ctrl/⌘ + scroll to zoom, or go fullscreen.
MITRE ATT&CK
1 techniqueReferences
Unlock Complete Vulnerability Intelligence
Get the full picture for CVE-2026-43725 and every CVE in our database. Create a free account — no credit card required.
Create Free Account