CVE-2026-28971

CVSS 4.3 MEDIUMEPSS 0.3%CWE-1021

Vexday Risk Score

13Low

SSVC decision (CISA)

Track

No exploitation signal → monitor

CVSS 4.3EPSS 0.3%KEV nãoPoC —Nuclei —Metasploit —Patch —

Lifecycle

11 May 2026Published on NVD

Recommendation: Monitor — no exploitation signal at the moment.

The issue was addressed with improved UI handling. This issue is fixed in Safari 26.5, iOS 26.5 and iPadOS 26.5, macOS Tahoe 26.5, visionOS 26.5. A malicious iframe may use another website’s download settings.

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N

Affected products

Apple · iOS and iPadOS Apple · macOS Apple · Safari Apple · visionOS

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://support.apple.com/en-us/127110 https://support.apple.com/en-us/127115 https://support.apple.com/en-us/127120 https://support.apple.com/en-us/127121