Search Results (1644 CVEs found)

CVE Vendors Products Updated CVSS v3.1
CVE-2025-43229 1 Apple 3 Macos, Safari, Sequoia 2026-04-28 6.1 Medium
This issue was addressed through improved state management. This issue is fixed in Safari 18.6, macOS Sequoia 15.6. Processing maliciously crafted web content may lead to universal cross site scripting.
CVE-2025-31192 1 Apple 4 Ipados, Iphone Os, Macos and 1 more 2026-04-28 6.7 Medium
The issue was addressed with improved checks. This issue is fixed in Safari 18.4, iOS 18.4 and iPadOS 18.4, macOS Sequoia 15.4. A website may be able to access sensor information without user consent.
CVE-2025-24180 1 Apple 5 Ipados, Iphone Os, Macos and 2 more 2026-04-28 8.1 High
The issue was addressed with improved input validation. This issue is fixed in Safari 18.4, iOS 18.4 and iPadOS 18.4, macOS Sequoia 15.4, visionOS 2.4, watchOS 11.4. A malicious website may be able to claim WebAuthn credentials from another website that shares a registrable suffix.
CVE-2025-30466 1 Apple 5 Ipados, Iphone Os, Macos and 2 more 2026-04-28 9.8 Critical
This issue was addressed through improved state management. This issue is fixed in Safari 18.4, iOS 18.4 and iPadOS 18.4, macOS Sequoia 15.4, visionOS 2.4. A website may be able to bypass Same Origin Policy.
CVE-2025-43413 1 Apple 11 Ios, Ipad Os, Ipados and 8 more 2026-04-28 7.5 High
An access issue was addressed with additional sandbox restrictions. This issue is fixed in iOS 26.1 and iPadOS 26.1, macOS Sequoia 15.7.2, macOS Sonoma 14.8.2, macOS Tahoe 26.1, tvOS 26.1, visionOS 26.1, watchOS 26.1. A sandboxed app may be able to observe system-wide network connections.
CVE-2025-24169 1 Apple 2 Macos, Safari 2026-04-28 7.5 High
A logging issue was addressed with improved data redaction. This issue is fixed in Safari 18.3, macOS Sequoia 15.3. A malicious app may be able to bypass browser extension authentication.
CVE-2025-24128 1 Apple 4 Ipados, Iphone Os, Macos and 1 more 2026-04-28 4.3 Medium
The issue was addressed by adding additional logic. This issue is fixed in Safari 18.3, iOS 18.3 and iPadOS 18.3, macOS Sequoia 15.3. Visiting a malicious website may lead to address bar spoofing.
CVE-2025-31184 1 Apple 5 Ipados, Iphone Os, Macos and 2 more 2026-04-28 7.8 High
This issue was addressed with improved permissions checking. This issue is fixed in Safari 18.4, iOS 18.4 and iPadOS 18.4, macOS Sequoia 15.4, visionOS 2.4. An app may gain unauthorized access to Local Network.
CVE-2025-24167 1 Apple 3 Ipados, Iphone Os, Safari 2026-04-28 9.8 Critical
This issue was addressed through improved state management. This issue is fixed in Safari 18.4, iOS 18.4 and iPadOS 18.4, macOS Sequoia 15.4, watchOS 11.4. A download's origin may be incorrectly associated.
CVE-2025-31238 1 Apple 7 Ipados, Iphone Os, Macos and 4 more 2026-04-28 7.3 High
The issue was addressed with improved checks. This issue is fixed in Safari 18.5, iOS 18.5 and iPadOS 18.5, macOS Sequoia 15.5, tvOS 18.5, visionOS 2.5, watchOS 11.5. Processing maliciously crafted web content may lead to memory corruption.
CVE-2025-31217 1 Apple 7 Ipados, Iphone Os, Macos and 4 more 2026-04-28 6.5 Medium
The issue was addressed with improved input validation. This issue is fixed in Safari 18.5, iOS 18.5 and iPadOS 18.5, iPadOS 17.7.7, macOS Sequoia 15.5, tvOS 18.5, visionOS 2.5, watchOS 11.5. Processing maliciously crafted web content may lead to an unexpected Safari crash.
CVE-2025-31254 1 Apple 5 Ios, Ipad Os, Ipados and 2 more 2026-04-28 5.4 Medium
This issue was addressed with improved URL validation. This issue is fixed in Safari 26, iOS 26 and iPadOS 26. Processing maliciously crafted web content may lead to unexpected URL redirection.
CVE-2025-43435 1 Apple 10 Ios, Ipad Os, Ipados and 7 more 2026-04-27 4.3 Medium
The issue was addressed with improved memory handling. This issue is fixed in Safari 26.1, iOS 18.7.2 and iPadOS 18.7.2, iOS 26.1 and iPadOS 26.1, macOS Tahoe 26.1, tvOS 26.1, visionOS 26.1, watchOS 26.1. Processing maliciously crafted web content may lead to an unexpected process crash.
CVE-2025-43376 1 Apple 7 Ios, Ipados, Iphone Os and 4 more 2026-04-27 7.5 High
A logic issue was addressed with improved state management. This issue is fixed in Safari 26, iOS 18.7.7 and iPadOS 18.7.7, iOS 26 and iPadOS 26, macOS Tahoe 26, tvOS 26, visionOS 26, watchOS 26. A remote attacker may be able to view leaked DNS queries with Private Relay turned on.
CVE-2025-31266 1 Apple 2 Macos, Safari 2026-04-27 4.3 Medium
A spoofing issue was addressed with improved truncation when displaying the fully qualified domain name. This issue is fixed in Safari 18.5, macOS Sequoia 15.5. A website may be able to spoof the domain name in the title of a pop-up window.
CVE-2025-43526 1 Apple 3 Macos, Macos Tahoe, Safari 2026-04-27 9.8 Critical
This issue was addressed with improved URL validation. This issue is fixed in Safari 26.2, macOS Tahoe 26.2. On a Mac with Lockdown Mode enabled, web content opened via a file URL may be able to use Web APIs that should be restricted.
CVE-2007-3376 2 Apple, Microsoft 2 Safari, Windows Xp 2026-04-23 N/A
Buffer overflow in Apple Safari 3.0.2 on Windows XP SP2 allows user-assisted remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a long value in the title HTML tag, which triggers the overflow when the user adds the page as a bookmark.
CVE-2009-2062 1 Apple 1 Safari 2026-04-23 N/A
Apple Safari before 3.2.2 processes a 3xx HTTP CONNECT response before a successful SSL handshake, which allows man-in-the-middle attackers to execute arbitrary web script, in an https site's context, by modifying this CONNECT response to specify a 302 redirect to an arbitrary https web site.
CVE-2007-3514 1 Apple 1 Safari 2026-04-23 N/A
Cross-domain vulnerability in Apple Safari for Windows 3.0.2 allows remote attackers to bypass the Same Origin Policy and access restricted information from other domains via JavaScript that overwrites the document variable and statically sets the document.domain attribute to a file:// location, a different vector than CVE-2007-3482.
CVE-2009-3016 1 Apple 1 Safari 2026-04-23 N/A
Apple Safari 4.0.3 does not properly block javascript: and data: URIs in Refresh headers in HTTP responses, which allows remote attackers to conduct cross-site scripting (XSS) attacks via vectors related to (1) injecting a Refresh header that contains a javascript: URI, (2) entering a javascript: URI when specifying the content of a Refresh header, (3) injecting a Refresh header that contains JavaScript sequences in a data:text/html URI, or (4) entering a data:text/html URI with JavaScript sequences when specifying the content of a Refresh header.