Description
This issue was addressed with improved URL validation. This issue is fixed in Safari 26.2, macOS Tahoe 26.2. On a Mac with Lockdown Mode enabled, web content opened via a file URL may be able to use Web APIs that should be restricted.
CVSS breakdown
CVSS 3.1
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High
Affected products
- Apple / macOS0 – 26.2
- Apple / Safari0 – 26.2
References
- VENDOR_ADVISORYhttps://support.apple.com/en-us/125886
- VENDOR_ADVISORYhttps://support.apple.com/en-us/125892