PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-28861 Apple CVE debrief

Apple addressed a logic issue in Safari and related Apple operating systems that could let a malicious website access script message handlers intended for other origins. Apple says the issue is fixed in Safari 26.4, iOS 18.7.7, iPadOS 18.7.7, iOS 26.4, iPadOS 26.4, macOS Tahoe 26.4, and visionOS 26.4. The CVSS score is 4.3 (medium), and the NVD vector indicates network access with user interaction required.

Vendor
Apple
Product
CVE-2026-28861
CVSS
MEDIUM 4.3
CISA KEV
Not listed in stored evidence
Original CVE published
2026-03-25
Original CVE updated
2026-05-10
Advisory published
2026-03-25
Advisory updated
2026-05-10

Who should care

Organizations and individuals using Apple devices or Safari, especially where browser-based workflows handle sensitive data, internal web apps, or cross-origin messaging. Security teams managing fleets of iPhone, iPad, Mac, and Vision Pro devices should prioritize the listed updates.

Technical summary

The published description says the flaw was a logic issue fixed by improved state management. In practical terms, a malicious website may be able to access script message handlers meant for other origins, which suggests an origin-isolation or messaging-state confusion problem in Safari/WebKit behavior. NVD classifies the issue as network قابل with low attack complexity, no privileges required, and user interaction required, with limited confidentiality impact and no integrity or availability impact listed.

Defensive priority

Medium. The issue is publicly disclosed and affects widely deployed Apple browser and OS components, but there is no KEV listing or ransomware linkage in the supplied corpus. Prioritize if your users browse untrusted sites or your environment relies on cross-origin web messaging.

Recommended defensive actions

  • Update affected Apple devices to the fixed versions listed by Apple: Safari 26.4, iOS 18.7.7, iPadOS 18.7.7, iOS 26.4, iPadOS 26.4, macOS Tahoe 26.4, or visionOS 26.4 as applicable.
  • Use Apple’s vendor advisories/release notes to confirm the correct update path for each platform and deployment branch.
  • Prioritize managed devices that regularly access sensitive web applications, internal portals, or browser-based messaging features.
  • Verify that update compliance covers both the browser and the underlying operating system where applicable.
  • Treat unpatched devices as potentially exposed to cross-origin web-content abuse until updated.

Evidence notes

This debrief is based only on the supplied CVE record, NVD metadata, and the linked Apple advisories referenced in the source corpus. The corpus states the affected products and fixed versions, and it describes the issue as a logic problem with improved state management. No exploit method, proof-of-concept, or additional root-cause details are included here.

Official resources

Publicly disclosed on 2026-03-25 in the CVE record and NVD entry; NVD metadata was modified on 2026-05-10. The supplied corpus does not indicate KEV listing.