CVE-2026-20665 is a vulnerability identified in Apple Safari browsers that affects the enforcement of Content Security Policy (CSP), a critical security mechanism designed to prevent cross-site scripting (XSS), data injection, and other code injection attacks by restricting the sources from which content can be loaded or executed. The root cause of this vulnerability is improper state management when processing maliciously crafted web content, which can cause Safari to fail in enforcing the CSP directives. This failure effectively allows an attacker to bypass CSP protections, potentially enabling the execution of unauthorized scripts or loading of malicious resources that would otherwise be blocked. The vulnerability impacts multiple Apple platforms including Safari on macOS Tahoe, iOS, iPadOS, tvOS, visionOS, and watchOS prior to version 26.4. The CVSS v3.1 base score is 6.5 (medium severity), with an attack vector of network (remote exploitation), low attack complexity, no privileges required, no user interaction needed, and impacts limited confidentiality and availability. Apple resolved this issue by improving state management in Safari’s web content processing pipeline, releasing patches in Safari 26.4 and corresponding OS updates (iOS 18.7.7, iPadOS 18.7.7, macOS Tahoe 26.4, etc.). There are no known exploits in the wild at this time. The CWE associated is CWE-693, which relates to protection mechanism failures. This vulnerability is significant because CSP is a widely adopted defense-in-depth mechanism for web security, and its bypass can facilitate further exploitation such as XSS or data theft.

The primary impact of CVE-2026-20665 is the potential bypass of Content Security Policy enforcement in Safari browsers, which undermines a key security control designed to prevent malicious script execution and resource loading. This can lead to partial loss of confidentiality if attackers manage to execute unauthorized scripts that steal sensitive information such as cookies, tokens, or user data. The integrity impact is minimal as the vulnerability does not directly allow data modification, but it can be a stepping stone for further attacks. Availability impact is low to medium since malicious content could disrupt normal browser behavior or cause denial of service conditions. Because the vulnerability requires no privileges or user interaction and can be exploited remotely via crafted web content, it poses a significant risk to users visiting malicious or compromised websites. Organizations relying on Apple devices for web access, especially those enforcing strict CSP policies for internal or web applications, may face increased risk of web-based attacks, data leakage, and compliance violations if patches are not applied promptly.

1. Immediately update all affected Apple platforms to Safari 26.4 or later and corresponding OS versions (iOS 18.7.7, iPadOS 18.7.7, macOS Tahoe 26.4, tvOS 26.4, visionOS 26.4, watchOS 26.4) to ensure the vulnerability is patched. 2. Enforce strict CSP headers with nonce or hash-based directives to reduce reliance on default policies and minimize the impact of potential CSP bypasses. 3. Implement web application security best practices such as input validation, output encoding, and use of Subresource Integrity (SRI) to complement CSP protections. 4. Monitor web traffic and logs for unusual script execution or resource loading patterns that may indicate exploitation attempts. 5. Educate users about the risks of visiting untrusted websites and encourage use of updated browsers. 6. For enterprise environments, consider deploying network-level web filtering and sandboxing solutions to reduce exposure to malicious web content. 7. Regularly review and audit CSP implementations to ensure policies are correctly configured and enforced.