VDB
DEBIAN-CVE-2026-20643
DEBIAN-CVE-2026-20643
PUBLISHED
CVSS 5.400000095367432 MEDIUM
A cross-origin issue in the Navigation API was addressed with improved input validation. This issue is fixed in Background Security Improvements for iOS, iPadOS, and macOS, Safari 26.4, iOS 18.7.7 and iPadOS 18.7.7, iOS 26.4 and iPadOS 26.4, macOS Tahoe 26.4, visionOS 26.4. Processing maliciously crafted web content may bypass Same Origin Policy.
Risk Scores
CVSS 3.1
5.400000095367432
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Debian:14 | wpewebkit | 2.52.0-1, 2.50.5-1, 2.48.3-1 |
| Debian:13 | wpewebkit | 2.50.3-1, 2.50.4-1, 2.50.5-1 |
| Debian:14 | webkit2gtk | 2.48.5-1~deb11u1, 2.48.5-1~deb12u1, 2.48.5-1~deb13u1 |
| Debian:12 | wpewebkit | 2.52.3-1, 2.38.6-1, 2.39.91-1 |
| Debian:12 | webkit2gtk | 2.40.3-2, 2.40.3-1, 2.40.2-1 |
| Debian:13 | webkit2gtk | 2.52.0-1, 0, 2.48.3-1 |
| Debian:11 | webkit2gtk | 2.44.4-1, 2.45.1-1, 2.45.1-2 |
| Debian:11 | wpewebkit | *, *, * |
Exploit Intelligence
- WebKit NavigateEvent.canIntercept SOP bypass via cross-port interception — iOS 26.3.1 BSI (CVE-2026-20643) (github-poc-repo)
- WebKit NavigateEvent.canIntercept SOP bypass via cross-port interception — iOS 26.3.1 BSI (CVE-2026-20643) (github-poc)
- 2026-03-20.json (github-poc)
- CVE-2026-20643.json (github-poc)
- macos_v2_generated.go (github-poc)
- macos_v1_generated.go (github-poc)
- ios_v2_generated.go (github-poc)
- ios_v1_generated.go (github-poc)
- visionos_v2_generated.go (github-poc)
- safari_v2_generated.go (github-poc)
Timeline
- Mar 17, 2026 CVE Published
- Apr 28, 2026 CVE Updated