CVE-2026-28971 PUBLISHED

Assigner: apple
Reserved: 03.03.2026 Published: 11.05.2026 Updated: 11.05.2026

The issue was addressed with improved UI handling. This issue is fixed in iOS 26.5 and iPadOS 26.5, macOS Tahoe 26.5, visionOS 26.5. A malicious iframe may use another website’s download settings.

Product Status

Vendor	Apple
Product	iOS and iPadOS
Versions	affected from 0 to 26.5 (excl.)

Vendor	Apple
Product	macOS
Versions	affected from 0 to 26.5 (excl.)

Vendor	Apple
Product	visionOS
Versions	affected from 0 to 26.5 (excl.)

References

https://support.apple.com/en-us/127110
https://support.apple.com/en-us/127115
https://support.apple.com/en-us/127120

Problem Types

A malicious iframe may use another website’s download settings