Apple has released the full list of security fixes for Safari 26.5, including a WebKit vulnerability that could allow maliciously crafted web content to leak sensitive user information. Here are the details.
On the same day, the company released the full security content of each update, and you can find more details about it here.
Apple has now released security content for Safari 26.5, which includes fixes for 20 WebKit vulnerabilities, as well as a WebRTC issue that could cause the process to crash unexpectedly.
Webkit
Available for: macOS Sonoma and macOS Sequoia
Impact: Processing maliciously crafted web content may prevent content security policy from being enforced.
Description: A validation issue was resolved with improved logic.
WebKit Bugzilla: 308906
CVE-2026-43660: Canteen
Web Kit
Available for: macOS Sonoma and macOS Sequoia
Impact: Processing maliciously crafted web content may prevent content security policy from being enforced.
Description: The issue was resolved with improved input validation.
WebKit Bugzilla: 308675
CVE-2026-28907: Canteen
Web Kit
Available for: macOS Sonoma and macOS Sequoia
Impact: Processing maliciously crafted web content can leak sensitive user information.
Description: This issue has been resolved with improved access restrictions.
WebKit Bugzilla: 309698
CVE-2026-28962: Luke Francis, Vaagn Vardanian, kwak kiyong / kakaogames, Vitaly Simonovich, Adel Bouachraoui, greenbynox
Webkit
Available for: macOS Sonoma and macOS Sequoia
Impact: Processing maliciously crafted web content may cause Safari to crash unexpectedly
Description: The issue was resolved with improved memory management.
WebKit Bugzilla: 307669
CVE-2026-43658: Do Young Park
Webkit
Available for: macOS Sonoma and macOS Sequoia
Impact: Processing maliciously crafted web content may cause the process to crash unexpectedly.
Description: The issue was resolved with improved memory management.
WebKit Bugzilla: 308545
CVE-2026-28905: Yuhao Hu, Yuanming Lai, Chenggang Wu and Zhe Wang
WebKit Bugzilla: 308707
CVE-2026-28847: DARKNAVY (@DarkNavyOrg), anonymous working with TrendAI Zero Day Initiative, Daniel Rhea
WebKit Bugzilla: 309601
CVE-2026-28904: Luka Racki
WebKit Bugzilla: 310880
CVE-2026-28955: wac and Kookhwan Lee work with TrendAI Zero Day Initiative
WebKit Bugzilla: 310303
CVE-2026-28903: Mateusz Krzywicki (iVerify.io)
WebKit Bugzilla: 309628
CVE-2026-28953: Maher Azzouzi
WebKit Bugzilla: 309861
CVE-2026-28902: Tristan Madani (@TristanInSec) of Talence Security, Nathaniel Oh (@calysteon)
WebKit Bugzilla: 310207
CVE-2026-28901: Offensive Aisle Security Research Team (Joshua Rogers, Luigino Camastra, Igor Morgenstern, and Guido Vranken), Maher Azzouzi, Ngan Nguyen from Calif.io
WebKit Bugzilla: 311631
CVE-2026-28913: an anonymous researcher
Web Kit
Available for: macOS Sonoma and macOS Sequoia
Impact: Processing maliciously crafted web content may cause the process to crash unexpectedly.
Description: A use-after-free issue has been resolved with improved memory management.
WebKit Bugzilla: 313939
CVE-2026-28883: kwak kiyong / kakaogames
Web Kit
Available for: macOS Sonoma and macOS Sequoia
Impact: An application may be able to access sensitive user data
Description: This issue has been addressed with enhanced data protection.
WebKit Bugzilla: 311228
CVE-2026-28958: Canteen
Webkit
Available for: macOS Sonoma and macOS Sequoia
Impact: Processing maliciously crafted web content may cause the process to crash unexpectedly.
Description: The issue was resolved with improved input validation.
WebKit Bugzilla: 310527
CVE-2026-28917: Vitali Simonovitch
Webkit
Available for: macOS Sonoma and macOS Sequoia
Impact: Processing maliciously crafted web content may cause Safari to crash unexpectedly
Description: A use-after-free issue has been resolved with improved memory management.
WebKit Bugzilla: 310234
CVE-2026-28947: dr3dd
WebKit Bugzilla: 310544
CVE-2026-28946: Gia Bui (@yabeow) from Calif.io, dr3dd, w0wbox
WebKit Bugzilla: 312180
CVE-2026-28942: Milad Nasr and Nicholas Carlini with Claude, Anthropic
Web Kit
Available for: macOS Sonoma and macOS Sequoia
Impact: A malicious iframe can use another website’s download settings
Description: The issue was resolved with improved user interface handling.
CVE-2026-28971: Khiem Tran
WebKit Bugzilla: 311288
WebRTC
Available for: macOS Sonoma and macOS Sequoia
Impact: Processing maliciously crafted web content may cause the process to crash unexpectedly.
Description: The issue was resolved with improved memory management.
WebKit Bugzilla: 311131
CVE-2026-28944: Kenneth Hsu of Palo Alto Networks, Jérôme DJOUDER, dr3dd
If your Mac is compatible with Safari 26.5, it might be a good idea to make sure you’re using the latest version as soon as possible.
What do you feel about this post?
Like
Love
Happy
Haha
Sad
