CVE-2025-66286
Webkitgtk: authorization bypass through webpage::send-request signal handler
Vexday Risk Score
13Low
SSVC decision (CISA)
Track
No exploitation signal → monitor
CVSS 4.7EPSS 0.2%KEV nãoPoC —Nuclei —Metasploit —Patch —
Lifecycle
23 Apr 2026Published on NVD
Recommendation: Monitor — no exploitation signal at the moment.
An API design flaw in WebKitGTK and WPE WebKit allows untrusted web content to unexpectedly perform IP connections, DNS lookups, and HTTP requests. Applications expect to use the
WebPage::send-request signal handler to approve or reject all network requests. However, certain types of HTTP requests bypass this signal handler.
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:N/A:N
Affected products
Red Hat · Red Hat Enterprise Linux 6Red Hat · Red Hat Enterprise Linux 7Red Hat · Red Hat Enterprise Linux 8Red Hat · Red Hat Enterprise Linux 9Want to know if your infrastructure is exposed to this?
Talk to TrueHacking →