CVE-2025-43526

Summary

This issue was addressed with improved URL validation. This issue is fixed in Safari 26.2, macOS Tahoe 26.2. On a Mac with Lockdown Mode enabled, web content opened via a file URL may be able to use Web APIs that should be restricted.

Affected Software

VendorProductVersion RangeStatus
AppleSafari0 < 26.2affected
ApplemacOS0 < 26.2affected

Weaknesses

  • On a Mac with Lockdown Mode enabled, web content opened via a file URL may be able to use Web APIs that should be restricted

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: yes
    • Technical Impact: total

References