VDB
CVE-2025-43526
CVE-2025-43526
PUBLISHED
CVSS 9.800000190734863 CRITICAL
This issue was addressed with improved URL validation. This issue is fixed in macOS Tahoe 26.2, Safari 26.2. On a Mac with Lockdown Mode enabled, web content opened via a file URL may be able to use Web APIs that should be restricted.
EPSS 0.05% · 16.0th percentile
Risk Scores
CVSS 3.1
9.800000190734863
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score
0.05%
16.0th percentile
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Apple | Safari | * |
| apple | macos | 0 |
| Apple | macOS | unspecified |
| apple | safari | 0 |
Exploit Intelligence
- CIRCL seen: CVE-2025-43526 (circl-sighting)
- https://support.apple.com/en-us/125892 (circl)
- https://support.apple.com/en-us/125886 (circl)
- macos_v1_generated.go (github-poc)
- macos_v1_generated.go (github-poc)
- macos_v2_generated.go (github-poc)
- macos_v2_generated.go (github-poc)
- macos_v2_generated.go (github-poc)
- macos_v2_generated.go (github-poc)
- macos_v1_generated.go (github-poc)
…and 8 more exploits
Timeline
- Dec 15, 2025 CVE Published
- Dec 17, 2025 PoC Published
- Dec 18, 2025 EPSS Score
- Dec 22, 2025 EPSS Score
- Dec 26, 2025 EPSS Score
- Dec 30, 2025 EPSS Score
- Jan 3, 2026 EPSS Score
- Jan 6, 2026 EPSS Score
- Jan 10, 2026 EPSS Score
- Jan 14, 2026 EPSS Score
- Jan 18, 2026 EPSS Score
- Jan 22, 2026 EPSS Score
References
- https://support.apple.com/en-us/125887 advisory
- https://support.apple.com/en-us/125891 advisory
- https://support.apple.com/en-us/125884 advisory
- https://support.apple.com/en-us/125886 advisory
- https://support.apple.com/en-us/125885 advisory
- https://support.apple.com/en-us/125889 advisory
- https://support.apple.com/en-us/125890 advisory
- https://support.apple.com/en-us/125892 advisory
- https://support.apple.com/en-us/125888 advisory
- https://nvd.nist.gov/vuln/detail/CVE-2025-43526 advisory