CVE-2026-28971

Description

The issue was addressed with improved UI handling. This issue is fixed in Safari 26.5, iOS 26.5 and iPadOS 26.5, macOS Tahoe 26.5, visionOS 26.5. A malicious iframe may use another website’s download settings.

PUBLISHED Reserved 2026-03-03 | Published 2026-05-11 | Updated 2026-05-13 | Assigner apple

Problem types

A malicious iframe may use another website’s download settings

Product status

References

support.apple.com/en-us/127110

support.apple.com/en-us/127115

support.apple.com/en-us/127120

support.apple.com/en-us/127121

cve.org (CVE-2026-28971)

nvd.nist.gov (CVE-2026-28971)

Download JSON