About the security content of Safari 26.3
This document describes the security content of Safari 26.3.
About Apple security updates
For our customers' protection, Apple doesn't disclose, discuss, or confirm security issues until an investigation has occurred and patches or releases are available. Recent releases are listed on the Apple security releases page.
Apple security documents reference vulnerabilities by CVE-ID when possible.
For more information about security, see the Apple Product Security page.
Safari 26.3
Released February 11, 2026
CFNetwork
Available for: macOS Sonoma and macOS Sequoia
Impact: A remote user may be able to write arbitrary files
Description: A path handling issue was addressed with improved logic.
CVE-2026-20660: Amy (amys.website)
Safari
Available for: macOS Sonoma and macOS Sequoia
Impact: An app may be able to access a user's Safari history
Description: A logic issue was addressed with improved validation.
CVE-2026-20656: Mickey Jin (@patch1t)
WebKit
Available for: macOS Sonoma and macOS Sequoia
Impact: A remote attacker may be able to cause a denial-of-service
Description: The issue was addressed with improved memory handling.
WebKit Bugzilla: 303959
CVE-2026-20652: Nathaniel Oh (@calysteon)
WebKit
Available for: macOS Sonoma and macOS Sequoia
Impact: Processing maliciously crafted web content may lead to an unexpected process crash
Description: This issue was addressed through improved state management.
WebKit Bugzilla: 303357
CVE-2026-20608: HanQing from TSDubhe and Nan Wang (@eternalsakura13)
WebKit
Available for: macOS Sonoma and macOS Sequoia
Impact: A website may be able to track users through Safari web extensions
Description: This issue was addressed through improved state management.
WebKit Bugzilla: 305020
CVE-2026-20676: Tom Van Goethem
WebKit
Available for: macOS Sonoma and macOS Sequoia
Impact: Processing maliciously crafted web content may lead to an unexpected process crash
Description: The issue was addressed with improved memory handling.
WebKit Bugzilla: 303444
CVE-2026-20644: HanQing from TSDubhe and Nan Wang (@eternalsakura13)
WebKit Bugzilla: 304657
CVE-2026-20636: EntryHi
WebKit Bugzilla: 304661
CVE-2026-20635: EntryHi
Additional recognition
WebKit
We would like to acknowledge David Wood, EntryHi, Luigino Camastra of Aisle Research, Stanislav Fort of Aisle Research, Vsevolod Kokorin (Slonser) of Solidlab and Jorian Woltjer for their assistance.
Information about products not manufactured by Apple, or independent websites not controlled or tested by Apple, is provided without recommendation or endorsement. Apple assumes no responsibility with regard to the selection, performance, or use of third-party websites or products. Apple makes no representations regarding third-party website accuracy or reliability. Contact the vendor for additional information.