CVE-2025-43480
HIGHDescription
The issue was addressed with improved checks. This issue is fixed in Safari 26.1, iOS 26.1 and iPadOS 26.1, macOS Tahoe 26.1, tvOS 26.1, visionOS 26.1, watchOS 26.1. A malicious website may exfiltrate data cross-origin.
Is your site exposed to CVE-2025-43480?
Run a free security scan — no signup, results in seconds.
CVSS v3.1 Score
Weakness Type (CWE)
Affected Products
| Vendor | Product |
|---|---|
| apple | safari |
| apple | ipados |
| apple | iphone_os |
| apple | tvos |
| apple | visionos |
| apple | watchos |
References
Frequently Asked Questions
What is CVE-2025-43480? +
How severe is CVE-2025-43480? +
What products are affected by CVE-2025-43480? +
How do I check if I'm vulnerable to CVE-2025-43480? +
Related Vulnerabilities
RustFS is a distributed object storage system built in Rust. Prior to 1.0.0-beta.2, when RUSTFS_CORS_ALLOWED_ORIGINS is unset, the RustFS S3 …
PlexRipper is a cross-platform media downloader for Plex. PlexRipper’s open CORS policy allows attackers to gain sensitive information from PlexRipper …
Home-Gallery.org is a self-hosted open-source web gallery to browse personal photos and videos. In 1.15.0 and earlier, an open CORS …
GitLab MCP Server lets an AI agent talk directly to GitLab. Prior to 0.6.0, the HTTP transport in src/transport.ts ships …
Kuma is a modern Envoy-based service mesh that can run on every cloud across both Kubernetes and VMs. Prior to …
Vulnerable to DNS rebinding attacks when using SSE (http://b/499408790). During the beta phase, we implemented `allowed-origins` and `allowed-hosts` flags to …