LeakyCreds
NewInstant webhook alerts now available ā€” notified within seconds of any credential detection.Learn more ā†’
Home / Vulnerability Intelligence / CVE-2026-20643

CVE-2026-20643 - Vulnerability Analysis

MediumCVSS: 5.4

Last Updated: March 19, 2026

Apple iOS Navigation API - CORS Misconfiguration

Published: March 17, 2026Updated: March 19, 2026PoC AvailableRemote Exploitable

Overview

Apple iOS 26.3.1, iPadOS 26.3.1, macOS 26.3.1 and 26.3.2 contain a cross-origin issue caused by insufficient input validation in the Navigation API, letting attackers bypass Same Origin Policy via crafted web content, exploit requires victim to process malicious content.

Severity & Score

Severity: Medium
CVSS Score: 5.4
EPSS Score: 1.3%(Probability of exploitation in next 30 days)

Impact

Attackers can bypass Same Origin Policy, potentially leading to unauthorized data access across origins.

Mitigation

Update to iOS 26.3.1, iPadOS 26.3.1, macOS 26.3.1 or later.

References

Social Media Activity(1 post)

OverSecurity
OverSecurity
@oversecurity
Mar 19, 2026

Apple Patches WebKit Vulnerability CVE-2026-20643 Across iOS, macOS Apple has released a new security update to address a critical WebKit vulnerability tracked as CVE-2026-20643. The vulnerability was identified šŸ”—ļø [Thecyberexpress] https://link.is.it/lPLEWn

View original post

GitHub Repositories(2 repos)

Related Resources

Details

CVE ID
CVE-2026-20643
Severity
Medium
CVSS Score
5.4
Type
cors_misconfiguration
Status
modified
EPSS
1.3%
Social Posts
1

CWE

  • CWE-20

CVSS Metrics

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N

EPSS Score

1.3%Probability of exploitation in the next 30 days