Home / mailings APPLE-SA-03-24-2026-9 Safari 26.4
Posted on 25 March 2026
Apple Security-announceAPPLE-SA-03-24-2026-9 Safari 26.4
Safari 26.4 addresses the following issues.
Information about the security content is also available at
https://support.apple.com/126800.
Apple maintains a Security Releases page at
https://support.apple.com/100100 which lists recent
software updates with security advisories.
WebKit
Available for: macOS Sonoma and macOS Sequoia
Impact: Processing maliciously crafted web content may prevent Content
Security Policy from being enforced
Description: This issue was addressed through improved state management.
WebKit Bugzilla: 304951
CVE-2026-20665: webb
WebKit
Available for: macOS Sonoma and macOS Sequoia
Impact: Processing maliciously crafted web content may bypass Same
Origin Policy
Description: A cross-origin issue in the Navigation API was addressed
with improved input validation.
WebKit Bugzilla: 306050
CVE-2026-20643: Thomas Espach
WebKit
Available for: macOS Sonoma and macOS Sequoia
Impact: Visiting a maliciously crafted website may lead to a cross-site
scripting attack
Description: A logic issue was addressed with improved checks.
WebKit Bugzilla: 305859
CVE-2026-28871: @hamayanhamayan
WebKit
Available for: macOS Sonoma and macOS Sequoia
Impact: Processing maliciously crafted web content may lead to an
unexpected process crash
Description: The issue was addressed with improved memory handling.
WebKit Bugzilla: 306136
CVE-2026-20664: Daniel Rhea, S=C3=B6hnke Benedikt Fischedick (Tripton),
Emrovsky & Switch, Yevhen Pervushyn
WebKit Bugzilla: 307723
CVE-2026-28857: Narcis Oliveras Font=C3=A0s, S=C3=B6hnke Benedikt =Fischedick
(Tripton), Daniel Rhea, Nathaniel Oh (@calysteon)
WebKit
Available for: macOS Sonoma and macOS Sequoia
Impact: A malicious website may be able to access script message
handlers intended for other origins
Description: A logic issue was addressed with improved state management.
WebKit Bugzilla: 307014
CVE-2026-28861: Hongze Wu and Shuaike Dong from Ant Group Infrastructure
Security Team
WebKit
Available for: macOS Sonoma and macOS Sequoia
Impact: A malicious website may be able to process restricted web
content outside the sandbox
Description: The issue was addressed with improved memory handling.
WebKit Bugzilla: 308248
CVE-2026-28859: greenbynox, Arni Hardarson
WebKit Sandboxing
Available for: macOS Sonoma and macOS Sequoia
Impact: A maliciously crafted webpage may be able to fingerprint the
user
Description: An authorization issue was addressed with improved state
management.
WebKit Bugzilla: 306827
CVE-2026-20691: Gongyu Ma (@Mezone0)
Additional recognition
Safari
We would like to acknowledge @RenwaX23, Bikesh Parajuli, Farras Givari,
Syarif Muhammad Sajjad, Yair for their assistance.
Web Extensions
We would like to acknowledge Carlos Jeurissen, Rob Wu (robwu.nl) for
their assistance.
WebKit
We would like to acknowledge Vamshi Paili for their assistance.
WebKit Process Model
We would like to acknowledge Joseph Semaan for their assistance.
Safari 26.4 may be obtained from the Mac App Store.
All information is also posted on the Apple Security Releases
web site: https://support.apple.com/100100.
This message is signed with Apple's Product Security PGP key,
and details are available at:
https://www.apple.com/support/security/pgp/
