HOMEVULNERABILITIESCVE-2026-20643
MEDIUM

CVE-2026-20643

Published: March 17, 2026· Updated: Mar 19, 2026

5.4
CVSS v3.1
EPSS:0.03%probability of exploitation in 30 daysPercentile:7.9th

Official Description

A cross-origin issue in the Navigation API was addressed with improved input validation. This issue is fixed in Background Security Improvements for iOS 26.3.1, iPadOS 26.3.1, macOS 26.3.1, and macOS 26.3.2. Processing maliciously crafted web content may bypass Same Origin Policy.

NVD Source

Technical Analysis

CVE-2026-20643 can be exploited remotely over the network without requiring physical or adjacent access, significantly expanding the attack surface for threat actors.

Exploitation does not require any privileges, though user interaction (Required) is needed, which slightly reduces the risk of mass automated attacks.

CVSS v3.1 Vector Breakdown

Exploitability
Attack VectorNetwork
Attack ComplexityLow
Privileges Req.None
User InteractionRequired
ScopeUnchanged
Impact
ConfidentialityLow
IntegrityLow
AvailabilityNone
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N

Affected Vendors & Products

Apple3 products
ipadosiphone osmacos
Source: NVD CPE · 3 total CPE entries

Exploit & PoC Resources

NO KNOWN EXPLOITNo public exploit confirmed at this time
External links open in a new tab. Always verify in a controlled environment before use.

Official Patches & Advisories

News & Research Mentioning CVE-2026-20643

Apple patches WebKit bug that could let sites access your data
Malwarebytes Labs· Mar 18, 2026

Apple has released a Background Security Improvement that silently fixes a WebKit vulnerability (CVE-2026-20643). [xlite_meta score:52 src:Malwarebytes Labs xlite_fp:d447cb3352f5f40426b4b2285f3691eb3931f11c39fa6316db66046c8fb06804]

Apple Fixes WebKit Vulnerability Enabling Same-Origin Policy Bypass on iOS and macOS
The Hacker News· Mar 18, 2026

Apple on Tuesday released its first round of Background Security Improvements to address a security flaw in WebKit that affects iOS, iPadOS, and macOS. The vulnerability, tracked as CVE-2026-20643 (CVSS score: N/A), has been described as a cross-origin issue in WebKit's Navigation API that could be exploited to bypass the same-origin policy when processing maliciously crafted web content. The [xlite_meta score:50 src:The Hacker News xlite_fp:46cadbaa882f8730d23c054f933f5931ca4d2f600d6f9e3e7702d2dfd71b7c61]

Apple pushes first Background Security Improvements update to fix WebKit flaw
BleepingComputer· Mar 17, 2026

Apple has released its first Background Security Improvements update to fix a WebKit flaw tracked as CVE-2026-20643 on iPhones, iPads, and Macs without requiring a full operating system upgrade. [...] [xlite_meta score:58 src:BleepingComputer xlite_fp:e785ea9771550ca014b69f96fadae964e08700bec508cffa9c1417788271d258]

All References (2)

Quick Facts

CVE IDCVE-2026-20643
CVSS Score5.4 / 10
SeverityMEDIUM
CISA KEVNo
EPSS (30d)0.03%
Affected1 vendor
PublishedMar 17, 2026

Known Threat Actors

wa
financial
silent
financial
B0
financial
core
financial

Recommended Actions

  • Apply vendor patches immediately
  • Monitor CVE-2026-20643 in threat intel feeds
  • Review IDS/IPS signatures for exploitation attempts
Data sourced from NVD (NIST), CISA KEV, and EPSS (FIRST). Analysis generated by CTIWATCH.COM. CVE data is provided under the NVD usage policy.