CVE-2026-20665 is a security vulnerability identified in Apple Safari browsers where processing specially crafted malicious web content can disrupt the enforcement of the Content Security Policy (CSP). CSP is a security standard implemented by browsers to restrict the sources from which scripts, styles, and other resources can be loaded, thereby preventing common web-based attacks such as cross-site scripting (XSS) and data injection. The vulnerability arises from improper state management within Safari's handling of web content, allowing an attacker to bypass CSP restrictions. This flaw affects Safari versions prior to 26.4 and corresponding OS versions including iOS 18.7.7, iPadOS 18.7.7, macOS Tahoe 26.4, tvOS 26.4, visionOS 26.4, and watchOS 26.4. Apple addressed the issue by improving internal state management to ensure CSP enforcement is not circumvented. Although no public exploits have been reported, the vulnerability poses a significant risk because CSP is a foundational defense mechanism for web security. Attackers could leverage this to inject malicious scripts or content into trusted web pages, potentially leading to data theft, session hijacking, or further compromise. The vulnerability affects a wide range of Apple devices, making it relevant for users and organizations relying on Safari for secure web browsing. The absence of a CVSS score necessitates a severity assessment based on impact and exploitability factors.

The primary impact of CVE-2026-20665 is the potential bypass of Content Security Policy enforcement in Safari, which undermines a critical layer of web security. This can enable attackers to execute cross-site scripting (XSS) attacks or inject malicious content into web pages that would otherwise be protected by CSP. The consequences include theft of sensitive information such as cookies, credentials, or personal data, unauthorized actions performed on behalf of users, and possible compromise of user sessions. For organizations, this vulnerability can lead to data breaches, loss of customer trust, and regulatory compliance issues. Given the widespread use of Apple devices globally, the scope of affected systems is large, encompassing mobile, desktop, and emerging platforms like visionOS. The ease of exploitation depends on the attacker’s ability to deliver crafted web content to victims, which can be achieved through phishing, malicious websites, or compromised legitimate sites. Since no authentication or user interaction beyond visiting a malicious page is necessarily required, the risk is elevated. The vulnerability’s impact on confidentiality and integrity is significant, while availability impact is minimal. Overall, this vulnerability poses a high risk to organizations and users relying on Safari for secure web access.

To mitigate the risk posed by CVE-2026-20665, organizations and users should promptly apply the security updates released by Apple, specifically Safari 26.4 and the corresponding OS updates (iOS 18.7.7, iPadOS 18.7.7, macOS Tahoe 26.4, tvOS 26.4, visionOS 26.4, watchOS 26.4). Beyond patching, organizations should enforce strict CSP policies and regularly audit their web applications to ensure CSP headers are correctly implemented and effective. Employing additional security controls such as Subresource Integrity (SRI) can help verify the integrity of loaded scripts. Network-level protections like web filtering and DNS security can reduce exposure to malicious web content. User education to recognize phishing and suspicious links is also valuable. For high-risk environments, consider restricting Safari usage or deploying alternative browsers until patches are applied. Monitoring web traffic and browser behavior for anomalies indicative of CSP bypass attempts can provide early detection. Finally, organizations should maintain an inventory of Apple devices and ensure timely update management to reduce the attack surface.