Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Browse News Feed Stats Watchlists Beta About Contact

WebKit Same Origin Policy bypass (CVE-2026-20643)

Vulnerability
First reported
Last updated
Happening score
H score 9
2 unique sources, 2 articles

Summary

Hide ▲

Apple fixed CVE-2026-20643, a WebKit flaw that let malicious web content bypass Same Origin Policy on iPhones, iPads, and Macs. The bug created a cross-origin browser security break that could weaken origin isolation. Apple delivered the fix through Background Security Improvements, reducing exposure without requiring a full OS upgrade.

Related Happenings

IOS 26.5 beta rolls out default end-to-end encrypted RCS messaging on iPhone and Android

Security Tool/Service
First: 12.05.2026 08:18 Last: 12.05.2026 08:18 Sources 1

About this happening: Apple's **iOS 26.5** beta adds **default end-to-end encrypted RCS** messaging for **iPhone** and **Android** users, strengthening privacy in cross-platform chats. The rollout cove...

Open Happening

OpenAI rotates macOS code-signing certificates after supply-chain exposure

Security Tool/Service
First: 13.04.2026 20:39 Last: 13.04.2026 20:39 Sources 1

About this happening: **OpenAI** is **rotating and revoking macOS code-signing certificates**, forcing users of **ChatGPT Desktop**, **Codex**, **Codex CLI**, and **Atlas** to update so trust in signed...

Open Happening

Google Chrome 146 adds Device Bound Session Credentials to block session-cookie theft

Security Tool/Service
First: 09.04.2026 21:33 Last: 09.04.2026 21:33 Sources 1

About this happening: Google has rolled out **Device Bound Session Credentials (DBSC)** in **Chrome 146 for Windows**, binding sessions to device hardware to blunt **infostealer malware** that steals s...

Open Happening

EngageLab SDK intent redirection security flaw

Vulnerability
First: 09.04.2026 20:26 Last: 09.04.2026 20:26 Sources 1

About this happening: A **now-patched intent redirection vulnerability** in the **EngageLab SDK** could let **malicious apps** bypass the **Android security sandbox** and access private data in apps us...

Open Happening

Apple iOS outdated-device exploit-kit mitigation advisory

Advisory/Mitigation
First: 20.03.2026 07:16 Last: 20.03.2026 07:16 Sources 1

About this happening: **Apple** is sending **Lock Screen notifications** to **outdated iPhones and iPads** after detecting **active web-based attacks**, urging users to install updates. The latest noti...

Open Happening

Timeline

  1. 18.03.2026 08:31 2 articles · 2mo ago

    Apple releases Background Security Improvements for CVE-2026-20643

    Mitigation Patch Update

    Apple released its first round of Background Security Improvements to address CVE-2026-20643 in WebKit, a cross-origin issue in the Navigation API that could bypass the same-origin policy when processing maliciously crafted web content. The flaw affects iOS 26.3.1, iPadOS 26.3.1, macOS 26.3.1, and macOS 26.3.2, and Apple says it was addressed with improved input validation in iOS 26.3.1 (a), iPadOS 26.3.1 (a), macOS 26.3.1 (a), and macOS 26.3.2 (a). Apple also credits security researcher Thomas Espach with discovering and reporting the shortcoming.

    Show sources
    Open in new tab
  2. 18.03.2026 03:06 1 articles · 2mo ago

    Apple releases first Background Security Improvements fix for CVE-2026-20643

    Mitigation Patch Update

    Apple released its first Background Security Improvements update to fix CVE-2026-20643, a WebKit flaw on iPhones, iPads, and Macs that let malicious web content bypass the browser's Same Origin Policy. The out-of-band patch used improved input validation, was available for iOS 26.3.1, iPadOS 26.3.1, macOS 26.3.1, and macOS 26.3.2, and uninstalling it removes previously applied background patches and reverts devices to the baseline OS version until the fixes are reapplied or bundled into a future full update.

    Show sources
    Open in new tab