Apple Safari
Don't miss out!
Thousands of developers use stack.watch to stay informed.Get an email whenever new security vulnerabilities are reported in Apple Safari.
Recent Apple Safari Security Advisories
| Advisory | Title | Published |
|---|---|---|
| 127685 | Safari 26.5.2 - Apple Security Content | June 29, 2026 |
| 127121 | Safari 26.5 - Apple Security Content | May 13, 2026 |
| 126800 | Safari 26.4 - Apple Security Content | March 24, 2026 |
| 126354 | Safari 26.3 - Apple Security Content | February 11, 2026 |
| 125892 | Safari 26.2 - Apple Security Content | December 12, 2025 |
| 125640 | Safari 26.1 - Apple Security Content | November 3, 2025 |
| 125113 | Safari 26 - Apple Security Content | September 15, 2025 |
| 124152 | Safari 18.6 - Apple Security Content | July 30, 2025 |
| 122719 | Safari 18.5 - Apple Security Content | May 12, 2025 |
| 122379 | Safari 18.4 - Apple Security Content | March 31, 2025 |
Known Exploited Apple Safari Vulnerabilities
The following Apple Safari vulnerabilities have been marked by CISA as Known to be Exploited by threat actors.
| Title | Description | Added |
|---|---|---|
| Apple Safari Webkit Browser Engine Buffer Overflow Vulnerability |
Processing maliciously crafted web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited. CVE-2021-30665 Exploit Probability: 3.7% |
November 3, 2021 |
| Apple Safari Webkit Browser Engine Integer Overflow Vulnerability |
Integer overflow. Processing maliciously crafted web content may lead to arbitrary code execution. CVE-2021-30663 Exploit Probability: 3.7% |
November 3, 2021 |
By the Year
In 2026 there have been 71 vulnerabilities in Apple Safari with an average score of 7.1 out of ten. Last year, in 2025 Safari had 102 security vulnerabilities published. If vulnerabilities keep coming in at the current rate, it appears that number of security vulnerabilities in Safari in 2026 could surpass last years number. However, the average CVE base score of the vulnerabilities in 2026 is greater by 0.28.
| Year | Vulnerabilities | Average Score |
|---|---|---|
| 2026 | 71 | 7.06 |
| 2025 | 102 | 6.78 |
| 2024 | 61 | 6.70 |
| 2023 | 44 | 7.92 |
| 2022 | 42 | 7.84 |
| 2021 | 35 | 7.75 |
| 2020 | 74 | 7.15 |
| 2019 | 166 | 8.02 |
| 2018 | 41 | 8.11 |
It may take a day or so for new Safari vulnerabilities to show up in the stats or in the list of recent security vulnerabilities. Additionally vulnerabilities may be tagged under a different product or component name.
Recent Apple Safari Security Vulnerabilities
Apple Safari 26.5.1 Cross-Origin Info Leak
CVE-2026-43700
6.5 - Medium
- June 29, 2026
A cross-origin issue was addressed with improved tracking of security origins. This issue is fixed in Safari 26.5.2, iOS 26.5.2 and iPadOS 26.5.2, macOS Tahoe 26.5.2. Processing maliciously crafted web content may disclose sensitive user information.
Origin Validation Error
Safari 26.5.2 Crash via Malicious Web Content, Fixed
CVE-2026-43716
6.5 - Medium
- June 29, 2026
The issue was addressed with improved memory handling. This issue is fixed in Safari 26.5.2, iOS 26.5.2 and iPadOS 26.5.2, macOS Tahoe 26.5.2. Processing maliciously crafted web content may lead to an unexpected Safari crash.
Dangling pointer
Safari use-after-free CVE-2026-43720 fixed in Safari 26.5.2
CVE-2026-43720
6.5 - Medium
- June 29, 2026
A use-after-free issue was addressed with improved memory management. This issue is fixed in Safari 26.5.2, iOS 26.5.2 and iPadOS 26.5.2, macOS Tahoe 26.5.2. Processing maliciously crafted web content may lead to an unexpected Safari crash.
Dangling pointer
Clipboard Hijack in Safari 26.5.2 (iOS/macOS)
CVE-2026-43721
6.5 - Medium
- June 29, 2026
This issue was addressed through improved state management. This issue is fixed in Safari 26.5.2, iOS 26.5.2 and iPadOS 26.5.2, macOS Tahoe 26.5.2. A malicious website may be able to silently hijack clipboard data.
Incorrect Permission Assignment for Critical Resource
Apple Safari 26.5.2: Memory Handling Crash with Malicious Web Content
CVE-2026-39872
6.5 - Medium
- June 29, 2026
The issue was addressed with improved memory handling. This issue is fixed in Safari 26.5.2, iOS 26.5.2 and iPadOS 26.5.2, macOS Tahoe 26.5.2. Processing maliciously crafted web content may lead to an unexpected process crash.
Dangling pointer
Apple Safari 26.5.2 UAF Crash via Malformed Web Content
CVE-2026-43717
6.5 - Medium
- June 29, 2026
A use-after-free issue was addressed with improved memory management. This issue is fixed in Safari 26.5.2, iOS 26.5.2 and iPadOS 26.5.2, macOS Tahoe 26.5.2. Processing maliciously crafted web content may lead to an unexpected Safari crash.
Dangling pointer
Apple Safari 26.5.2 Memory Disclosure via Malicious Web Content
CVE-2026-43740
6.5 - Medium
- June 29, 2026
The issue was addressed with improved memory handling. This issue is fixed in Safari 26.5.2, iOS 26.5.2 and iPadOS 26.5.2, macOS Tahoe 26.5.2. Processing maliciously crafted web content may result in the disclosure of process memory.
Dangling pointer
Apple Safari/iOS Sandbox Bypass via Malicious Site (fixed in 26.5.2)
CVE-2026-43701
7.1 - High
- June 29, 2026
The issue was addressed with improved checks. This issue is fixed in Safari 26.5.2, iOS 26.5.2 and iPadOS 26.5.2, macOS Tahoe 26.5.2. A malicious website may be able to process restricted web content outside the sandbox.
Authorization
Safari Mem Corruption Crash <26.5.2
CVE-2026-43663
6.5 - Medium
- June 29, 2026
The issue was addressed with improved memory handling. This issue is fixed in Safari 26.5.2, iOS 26.5.2 and iPadOS 26.5.2, macOS Tahoe 26.5.2. Processing maliciously crafted web content may lead to an unexpected process crash.
Dangling pointer
Use-After-Free in Safari 26.5.2 Causing Crash
CVE-2026-43726
6.5 - Medium
- June 29, 2026
A use-after-free issue was addressed with improved memory management. This issue is fixed in Safari 26.5.2, iOS 26.5.2 and iPadOS 26.5.2, macOS Tahoe 26.5.2. Processing maliciously crafted web content may lead to an unexpected process crash.
Dangling pointer
Apple Safari 26.5.2 Use-After-Free Crash
CVE-2026-43746
6.5 - Medium
- June 29, 2026
A use-after-free issue was addressed with improved memory management. This issue is fixed in Safari 26.5.2, iOS 26.5.2 and iPadOS 26.5.2, macOS Tahoe 26.5.2. Processing maliciously crafted web content may lead to an unexpected Safari crash.
Dangling pointer
Safari 26.5.2 Memory Corruption Fix: Crash from Malicious Web Content
CVE-2026-43707
6.5 - Medium
- June 29, 2026
A memory corruption issue was addressed with improved memory handling. This issue is fixed in Safari 26.5.2, iOS 26.5.2 and iPadOS 26.5.2, macOS Tahoe 26.5.2. Processing maliciously crafted web content may lead to an unexpected process crash.
Buffer Overflow
Use-After-Free Crash in Safari, iOS/iPadOS/macOS, Fixed in 26.5.2
CVE-2026-43727
6.5 - Medium
- June 29, 2026
A use-after-free issue was addressed with improved memory management. This issue is fixed in Safari 26.5.2, iOS 26.5.2 and iPadOS 26.5.2, macOS Tahoe 26.5.2. Processing maliciously crafted web content may lead to an unexpected Safari crash.
Dangling pointer
Apple Safari <26.5.2: UAF in Web Content (fixed v26.5.2)
CVE-2026-43731
8.8 - High
- June 29, 2026
A use-after-free issue was addressed with improved memory management. This issue is fixed in Safari 26.5.2, iOS 26.5.2 and iPadOS 26.5.2, macOS Tahoe 26.5.2. Processing maliciously crafted web content may lead to memory corruption.
Dangling pointer
Safari Path Handling Disclosure Vulnerability Fixed 26.5.2
CVE-2026-43732
6.5 - Medium
- June 29, 2026
A path handling issue was addressed with improved validation. This issue is fixed in Safari 26.5.2, iOS 26.5.2 and iPadOS 26.5.2, macOS Tahoe 26.5.2. Processing maliciously crafted web content may disclose sensitive user information.
Directory traversal
CVE-2026-43708 Safari <26.5.2 cross-origin data exfiltration
CVE-2026-43708
4.3 - Medium
- June 29, 2026
The issue was addressed with improved input validation. This issue is fixed in Safari 26.5.2, iOS 26.5.2 and iPadOS 26.5.2, macOS Tahoe 26.5.2. A malicious website may exfiltrate data cross-origin.
Improper Input Validation
Apple Safari Crash via Malicious Web Content, Fixed in 26.5.2
CVE-2026-43712
6.5 - Medium
- June 29, 2026
The issue was addressed with improved memory handling. This issue is fixed in Safari 26.5.2, iOS 26.5.2 and iPadOS 26.5.2, macOS Tahoe 26.5.2. Processing maliciously crafted web content may lead to an unexpected process crash.
Memory Corruption
Out-of-Bounds Write Leading to Safari Crash (pre-26.5.2)
CVE-2026-43745
6.5 - Medium
- June 29, 2026
An out-of-bounds write issue was addressed with improved input validation. This issue is fixed in Safari 26.5.2, iOS 26.5.2 and iPadOS 26.5.2, macOS Tahoe 26.5.2. Processing maliciously crafted web content may lead to an unexpected Safari crash.
Memory Corruption
Apple Safari 26.5.2 Use-After-Free in Web Extension Causing Crash
CVE-2026-43704
5.3 - Medium
- June 29, 2026
A use-after-free issue was addressed with improved memory management. This issue is fixed in Safari 26.5.2, iOS 26.5.2 and iPadOS 26.5.2, macOS Tahoe 26.5.2. A malicious web extension may be able to cause an unexpected process crash.
Dangling pointer
Safari & iOS Type Confusion Memory Corruption Fixed in 26.5.2
CVE-2026-43705
8.8 - High
- June 29, 2026
A type confusion issue was addressed with improved checks. This issue is fixed in Safari 26.5.2, iOS 26.5.2 and iPadOS 26.5.2, macOS Tahoe 26.5.2. Processing maliciously crafted web content may lead to memory corruption.
Object Type Confusion
Safari/iOS/iPadOS Permissions Leak, fixed in 26.5.2
CVE-2026-43713
6.5 - Medium
- June 29, 2026
A permissions issue was addressed with additional restrictions. This issue is fixed in Safari 26.5.2, iOS 26.5.2 and iPadOS 26.5.2, macOS Tahoe 26.5.2. Visiting a website may leak sensitive data.
Authorization
Safari UAF Crash Fixed in 26.5.2
CVE-2026-43709
6.5 - Medium
- June 29, 2026
A use-after-free issue was addressed with improved memory management. This issue is fixed in Safari 26.5.2, iOS 26.5.2 and iPadOS 26.5.2, macOS Tahoe 26.5.2. Processing maliciously crafted web content may lead to an unexpected process crash.
Dangling pointer
Apple Safari UAF in 26.5.2: Crash via Malicious Web Content
CVE-2026-43699
6.5 - Medium
- June 29, 2026
A use-after-free issue was addressed with improved memory management. This issue is fixed in Safari 26.5.2, iOS 26.5.2 and iPadOS 26.5.2, macOS Tahoe 26.5.2. Processing maliciously crafted web content may lead to an unexpected process crash.
Dangling pointer
Safari OOB Crash (v26.5.2) Boundscheck Fix
CVE-2026-43676
6.5 - Medium
- June 29, 2026
An out-of-bounds access issue was addressed with improved bounds checking. This issue is fixed in Safari 26.5.2, iOS 26.5.2 and iPadOS 26.5.2, macOS Tahoe 26.5.2. Processing maliciously crafted web content may lead to an unexpected Safari crash.
Out-of-bounds Read
Apple Safari 26.5.2: Sandbox Escape via Input Validation
CVE-2026-43725
7.1 - High
- June 29, 2026
The issue was addressed with improved input validation. This issue is fixed in Safari 26.5.2, iOS 26.5.2 and iPadOS 26.5.2, macOS Tahoe 26.5.2. A malicious website may be able to process restricted web content outside the sandbox.
Improper Input Validation
Apple Safari stack overflow via malformed web content (pre-26.5.2)
CVE-2026-43718
6.5 - Medium
- June 29, 2026
A stack overflow was addressed with improved input validation. This issue is fixed in Safari 26.5.2, iOS 26.5.2 and iPadOS 26.5.2, macOS Tahoe 26.5.2. Processing maliciously crafted web content may lead to an unexpected Safari crash.
Stack Overflow
Safari UA-FREE CVE-2026-43734 fixed in 26.5.2
CVE-2026-43734
6.5 - Medium
- June 29, 2026
A use-after-free issue was addressed with improved memory management. This issue is fixed in Safari 26.5.2, iOS 26.5.2 and iPadOS 26.5.2, macOS Tahoe 26.5.2. Processing maliciously crafted web content may lead to an unexpected process crash.
Dangling pointer
Apple Safari/iOS/iPadOS/macOS Tahoe OOB Access (Fixed 26.5.2)
CVE-2026-28979
6.5 - Medium
- June 29, 2026
An out-of-bounds access issue was addressed with improved bounds checking. This issue is fixed in Safari 26.5.2, iOS 26.5.2 and iPadOS 26.5.2, macOS Tahoe 26.5.2. Processing maliciously crafted web content may lead to an unexpected process crash.
Out-of-bounds Read
Apple Safari Cross-Origin Data Exfil - Fixed in 26.5.2
CVE-2026-43735
8.1 - High
- June 29, 2026
The issue was addressed with improved checks. This issue is fixed in Safari 26.5.2, iOS 26.5.2 and iPadOS 26.5.2, macOS Tahoe 26.5.2. A malicious website may exfiltrate data cross-origin.
Session Riding
Safari UAF vulnerability; fixed in Safari 26.5.2
CVE-2026-43742
6.5 - Medium
- June 29, 2026
A use-after-free issue was addressed with improved memory management. This issue is fixed in Safari 26.5.2, iOS 26.5.2 and iPadOS 26.5.2, macOS Tahoe 26.5.2. Processing maliciously crafted web content may lead to an unexpected process crash.
Dangling pointer
Use-After-Free in Apple Safari <26.5.2 (memory corruption)
CVE-2026-43715
8.8 - High
- June 29, 2026
A use-after-free issue was addressed with improved memory management. This issue is fixed in Safari 26.5.2, iOS 26.5.2 and iPadOS 26.5.2, macOS Tahoe 26.5.2. Processing maliciously crafted web content may lead to memory corruption.
Dangling pointer
Apple iOS Updated 18.7.9 Prevents Crash from Malicious Web Content
CVE-2026-28917
4.3 - Medium
- May 11, 2026
The issue was addressed with improved input validation. This issue is fixed in Safari 26.5, iOS 18.7.9 and iPadOS 18.7.9, iOS 26.5 and iPadOS 26.5, macOS Tahoe 26.5, tvOS 26.5, visionOS 26.5, watchOS 26.5. Processing maliciously crafted web content may lead to an unexpected process crash.
Improper Input Validation
Apple WebKit Memory Crash via Crafted Web Content - fixed in 26.5
CVE-2026-28901
8.8 - High
- May 11, 2026
The issue was addressed with improved memory handling. This issue is fixed in Safari 26.5, iOS 26.5 and iPadOS 26.5, macOS Tahoe 26.5, tvOS 26.5, visionOS 26.5, watchOS 26.5. Processing maliciously crafted web content may lead to an unexpected process crash.
Buffer Overflow
UAF in Safari WebKit on macOS before 26.5 (fixed 26.5)
CVE-2026-28946
8.8 - High
- May 11, 2026
A use-after-free issue was addressed with improved memory management. This issue is fixed in Safari 26.5, macOS Tahoe 26.5. Processing maliciously crafted web content may lead to an unexpected Safari crash.
Dangling pointer
CSP bypass in Apple OS 26.5 (iOS, iPadOS, macOS, tvOS, visionOS, watchOS)
CVE-2026-28907
8.1 - High
- May 11, 2026
The issue was addressed with improved input validation. This issue is fixed in Safari 26.5, iOS 18.7.9 and iPadOS 18.7.9, iOS 26.5 and iPadOS 26.5, macOS Tahoe 26.5, tvOS 26.5, visionOS 26.5, watchOS 26.5. Processing maliciously crafted web content may prevent Content Security Policy from being enforced.
Output Sanitization
Apple iOS/macOS iPadOS visionOS iframe download settings flaw before 26.5
CVE-2026-28971
4.3 - Medium
- May 11, 2026
The issue was addressed with improved UI handling. This issue is fixed in Safari 26.5, iOS 26.5 and iPadOS 26.5, macOS Tahoe 26.5, visionOS 26.5. A malicious iframe may use another websites download settings.
Clickjacking
Apple Safari: UAF Crash Vulnerability Fixed in 26.5
CVE-2026-28947
8.8 - High
- May 11, 2026
A use-after-free issue was addressed with improved memory management. This issue is fixed in Safari 26.5, iOS 26.5 and iPadOS 26.5, macOS Tahoe 26.5, tvOS 26.5, visionOS 26.5, watchOS 26.5. Processing maliciously crafted web content may lead to an unexpected Safari crash.
Dangling pointer
Apple Safari 26.5 Crash via Malicious Web Content
CVE-2026-43658
8.8 - High
- May 11, 2026
The issue was addressed with improved memory handling. This issue is fixed in Safari 26.5, iOS 26.5 and iPadOS 26.5, macOS Tahoe 26.5, tvOS 26.5, visionOS 26.5, watchOS 26.5. Processing maliciously crafted web content may lead to an unexpected Safari crash.
Buffer Overflow
WebKit Crash via WebContent (iOS/iPadOS <26.5, macOS/tvOS/visionOS <26.5)
CVE-2026-28905
8.8 - High
- May 11, 2026
The issue was addressed with improved memory handling. This issue is fixed in Safari 26.5, iOS 26.5 and iPadOS 26.5, macOS Tahoe 26.5, tvOS 26.5, visionOS 26.5. Processing maliciously crafted web content may lead to an unexpected process crash.
Buffer Overflow
Apple OS 26.5: Unexpected Process Crash via Malicious Web Content (Fix)
CVE-2026-28913
7.5 - High
- May 11, 2026
The issue was addressed with improved memory handling. This issue is fixed in Safari 26.5, iOS 26.5 and iPadOS 26.5, macOS Tahoe 26.5, tvOS 26.5, watchOS 26.5. Processing maliciously crafted web content may lead to an unexpected process crash.
Buffer Overflow
Apple OS 26.5 Memory Handling Crash on Malicious Web Content
CVE-2026-28944
7.5 - High
- May 11, 2026
The issue was addressed with improved memory handling. This issue is fixed in Safari 26.5, iOS 26.5 and iPadOS 26.5, macOS Tahoe 26.5, visionOS 26.5. Processing maliciously crafted web content may lead to an unexpected process crash.
Buffer Overflow
Apple iOS/macOS 26.5 Use-After-Free in Web Rendering
CVE-2026-28883
8.8 - High
- May 11, 2026
A use-after-free issue was addressed with improved memory management. This issue is fixed in Safari 26.5, iOS 26.5 and iPadOS 26.5, macOS Tahoe 26.5, tvOS 26.5, visionOS 26.5, watchOS 26.5. Processing maliciously crafted web content may lead to an unexpected process crash.
Dangling pointer
Apple WebKit CSP Bypass before 26.5 (iOS 18.7.9, macOS 26.5)
CVE-2026-43660
7.5 - High
- May 11, 2026
A validation issue was addressed with improved logic. This issue is fixed in Safari 26.5, iOS 18.7.9 and iPadOS 18.7.9, iOS 26.5 and iPadOS 26.5, macOS Tahoe 26.5, tvOS 26.5, visionOS 26.5, watchOS 26.5. Processing maliciously crafted web content may prevent Content Security Policy from being enforced.
Protection Mechanism Failure
Apple iOS Memory Crash CVE-2026-28953 Fixed in 18.7.9
CVE-2026-28953
8.8 - High
- May 11, 2026
The issue was addressed with improved memory handling. This issue is fixed in Safari 26.5, iOS 18.7.9 and iPadOS 18.7.9, iOS 26.5 and iPadOS 26.5, macOS Tahoe 26.5, tvOS 26.5, visionOS 26.5, watchOS 26.5. Processing maliciously crafted web content may lead to an unexpected process crash.
Buffer Overflow
Apple WebKit MemCorrupt Crash (CVE-2026-28904) fixed iOS 18.7.9+
CVE-2026-28904
8.8 - High
- May 11, 2026
The issue was addressed with improved memory handling. This issue is fixed in Safari 26.5, iOS 18.7.9 and iPadOS 18.7.9, iOS 26.5 and iPadOS 26.5, macOS Tahoe 26.5, tvOS 26.5, visionOS 26.5, watchOS 26.5. Processing maliciously crafted web content may lead to an unexpected process crash.
Buffer Overflow
Apple OS 26.5 Data Exposure via Improper Protection
CVE-2026-28958
5.5 - Medium
- May 11, 2026
This issue was addressed with improved data protection. This issue is fixed in Safari 26.5, iOS 26.5 and iPadOS 26.5, macOS Tahoe 26.5, visionOS 26.5. An app may be able to access sensitive user data.
Information Disclosure
Apple iOS AccessRestriction CVE202628962 Fixed 18.7.9/26.5
CVE-2026-28962
7.5 - High
- May 11, 2026
This issue was addressed with improved access restrictions. This issue is fixed in Safari 26.5, iOS 18.7.9 and iPadOS 18.7.9, iOS 26.5 and iPadOS 26.5, macOS Tahoe 26.5, visionOS 26.5. Processing maliciously crafted web content may disclose sensitive user information.
Information Disclosure
Apple iOS/iPadOS macOS Memory Crash CVE-2026-28903
CVE-2026-28903
8.8 - High
- May 11, 2026
The issue was addressed with improved memory handling. This issue is fixed in Safari 26.5, iOS 18.7.9 and iPadOS 18.7.9, iOS 26.5 and iPadOS 26.5, macOS Tahoe 26.5, tvOS 26.5, visionOS 26.5, watchOS 26.5. Processing maliciously crafted web content may lead to an unexpected process crash.
Buffer Overflow
Safari AoF bug fixed in 26.5 via improved memory mgmt
CVE-2026-28942
8.8 - High
- May 11, 2026
A use-after-free issue was addressed with improved memory management. This issue is fixed in Safari 26.5, iOS 26.5 and iPadOS 26.5, macOS Tahoe 26.5, tvOS 26.5, visionOS 26.5, watchOS 26.5. Processing maliciously crafted web content may lead to an unexpected Safari crash.
Dangling pointer
Apple iOS/macos tvOS Memory Crash CVE-2026-28902
CVE-2026-28902
8.8 - High
- May 11, 2026
The issue was addressed with improved memory handling. This issue is fixed in Safari 26.5, iOS 26.5 and iPadOS 26.5, macOS Tahoe 26.5, tvOS 26.5, visionOS 26.5, watchOS 26.5. Processing maliciously crafted web content may lead to an unexpected process crash.
Buffer Overflow
Stay on top of Security Vulnerabilities
Want an email whenever new vulnerabilities are published for Apple Safari or by Apple? Click the Watch button to subscribe.