CVE-2025-43526

This issue was addressed with improved URL validation. This issue is fixed in macOS Tahoe 26.2, Safari 26.2. On a Mac with Lockdown Mode enabled, web content opened via a file URL may be able to use Web APIs that should be restricted.

CVSS v3 9.8 CRITICAL

9.8^/10

CVSS v3 : CRITICAL

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://support.apple.com/en-us/125886	Release Notes Vendor Advisory
https://support.apple.com/en-us/125892	Release Notes Vendor Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:apple:safari::::::::
	cpe:2.3:o:apple:macos::::::::

History

18 Dec 2025, 20:36

Type	Values Removed	Values Added
First Time		Apple macos Apple Apple safari
CPE		cpe:2.3:o:apple:macos:::::::: cpe:2.3:a:apple:safari::::::::
References	~~() https://support.apple.com/en-us/125886 -~~	() https://support.apple.com/en-us/125886 - Release Notes, Vendor Advisory
References	~~() https://support.apple.com/en-us/125892 -~~	() https://support.apple.com/en-us/125892 - Release Notes, Vendor Advisory

18 Dec 2025, 20:15

Type	Values Removed	Values Added
CWE		CWE-601
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 9.8

17 Dec 2025, 21:16

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-12-17 21:16

Updated : 2025-12-18 20:36

NVD link : CVE-2025-43526

Mitre link : CVE-2025-43526

CVE.ORG link : CVE-2025-43526

JSON object : View

Products Affected

apple

safari
macos

CWE

CWE-601

URL Redirection to Untrusted Site ('Open Redirect')

9.8 /10