About the security content of Safari 26.4

This document describes the security content of Safari 26.4.

About Apple security updates

For our customers' protection, Apple doesn't disclose, discuss, or confirm security issues until an investigation has occurred and patches or releases are available. Recent releases are listed on the Apple security releases page.

Apple security documents reference vulnerabilities by CVE-ID when possible.

For more information about security, see the Apple Product Security page.

Safari 26.4

WebKit

Available for: macOS Sonoma and macOS Sequoia

Impact: Processing maliciously crafted web content may prevent Content Security Policy from being enforced

Description: This issue was addressed through improved state management.

CVE-2026-20665: webb

WebKit

Available for: macOS Sonoma and macOS Sequoia

Impact: Processing maliciously crafted web content may bypass Same Origin Policy

Description: A cross-origin issue in the Navigation API was addressed with improved input validation.

CVE-2026-20643: Thomas Espach

WebKit

Available for: macOS Sonoma and macOS Sequoia

Impact: Visiting a maliciously crafted website may lead to a cross-site scripting attack

Description: A logic issue was addressed with improved checks.

CVE-2026-28871: @hamayanhamayan

WebKit

Available for: macOS Sonoma and macOS Sequoia

Impact: Processing maliciously crafted web content may lead to an unexpected process crash

Description: The issue was addressed with improved memory handling.

CVE-2026-20664: Daniel Rhea, Söhnke Benedikt Fischedick (Tripton), Emrovsky & Switch, Yevhen Pervushyn

CVE-2026-28857: Narcis Oliveras Fontàs, Söhnke Benedikt Fischedick (Tripton), Daniel Rhea, Nathaniel Oh (@calysteon)

WebKit

Available for: macOS Sonoma and macOS Sequoia

Impact: A malicious website may be able to access script message handlers intended for other origins

Description: A logic issue was addressed with improved state management.

CVE-2026-28861: Hongze Wu and Shuaike Dong from Ant Group Infrastructure Security Team

WebKit

Available for: macOS Sonoma and macOS Sequoia

Impact: A malicious website may be able to process restricted web content outside the sandbox

Description: The issue was addressed with improved memory handling.

CVE-2026-28859: greenbynox, Arni Hardarson

WebKit Sandboxing

Available for: macOS Sonoma and macOS Sequoia

Impact: A maliciously crafted webpage may be able to fingerprint the user

Description: An authorization issue was addressed with improved state management.

CVE-2026-20691: Gongyu Ma (@Mezone0)

Additional recognition

Safari

We would like to acknowledge @RenwaX23, Bikesh Parajuli, Farras Givari, Syarif Muhammad Sajjad, Yair for their assistance.

Web Extensions

We would like to acknowledge Carlos Jeurissen, Rob Wu (robwu.nl) for their assistance.

WebKit

We would like to acknowledge Vamshi Paili for their assistance.

WebKit Process Model

We would like to acknowledge Joseph Semaan for their assistance.