This document describes the security content of Safari 26.4.
For our customers' protection, Apple doesn't disclose, discuss, or confirm security issues until an investigation has occurred and patches or releases are available. Recent releases are listed on the Apple security releases page.
Apple security documents reference vulnerabilities by CVE-ID when possible.
For more information about security, see the Apple Product Security page.
Released March 24, 2026
Available for: macOS Sonoma and macOS Sequoia
Impact: Processing maliciously crafted web content may prevent Content Security Policy from being enforced
Description: This issue was addressed through improved state management.
WebKit Bugzilla: 304951
CVE-2026-20665: webb
Available for: macOS Sonoma and macOS Sequoia
Impact: Processing maliciously crafted web content may bypass Same Origin Policy
Description: A cross-origin issue in the Navigation API was addressed with improved input validation.
WebKit Bugzilla: 306050
CVE-2026-20643: Thomas Espach
Available for: macOS Sonoma and macOS Sequoia
Impact: Visiting a maliciously crafted website may lead to a cross-site scripting attack
Description: A logic issue was addressed with improved checks.
WebKit Bugzilla: 305859
CVE-2026-28871: @hamayanhamayan
Available for: macOS Sonoma and macOS Sequoia
Impact: Processing maliciously crafted web content may lead to an unexpected process crash
Description: The issue was addressed with improved memory handling.
WebKit Bugzilla: 306136
CVE-2026-20664: Yeonghyeon Choi, Daniel Rhea, Söhnke Benedikt Fischedick (Tripton), Emrovsky & Switch3301, Yevhen Pervushyn
WebKit Bugzilla: 307723
CVE-2026-28857: Minse Kim, Narcis Oliveras Fontàs, Söhnke Benedikt Fischedick (Tripton), Daniel Rhea, Nathaniel Oh (@calysteon)
Entry updated May 11, 2026
Available for: macOS Sonoma and macOS Sequoia
Impact: A malicious website may be able to access script message handlers intended for other origins
Description: A logic issue was addressed with improved state management.
WebKit Bugzilla: 307014
CVE-2026-28861: Hongze Wu and Shuaike Dong from Ant Group Infrastructure Security Team, and webb
Entry updated May 11, 2026
Available for: macOS Sonoma and macOS Sequoia
Impact: A malicious website may be able to process restricted web content outside the sandbox
Description: The issue was addressed with improved memory handling.
WebKit Bugzilla: 308248
CVE-2026-28859: greenbynox, Arni Hardarson, and an anonymous researcher
Entry updated May 11, 2026
Available for: macOS Sonoma and macOS Sequoia
Impact: A maliciously crafted webpage may be able to fingerprint the user
Description: An authorization issue was addressed with improved state management.
WebKit Bugzilla: 306827
CVE-2026-20691: Gongyu Ma (@Mezone0)
We would like to acknowledge @RenwaX23, Bikesh Parajuli, Farras Givari, Syarif Muhammad Sajjad, Yair for their assistance.
We would like to acknowledge Carlos Jeurissen, Rob Wu (robwu.nl) for their assistance.
We would like to acknowledge Vamshi Paili for their assistance.
We would like to acknowledge Joseph Semaan for their assistance.