CVE-2026-28871

high

Published 2026-05-19 · Modified 2026-04-27

💬 Discuss on Community ✚ Propose mitigation

CVSS v3

—

CVSS v4 NEW

—

not yet in upstream

VIR risk

8.0

Description

A logic issue was addressed with improved checks. This issue is fixed in Safari 26.4, iOS 18.7.7 and iPadOS 18.7.7, iOS 26.4 and iPadOS 26.4, macOS Tahoe 26.4. Visiting a maliciously crafted website may lead to a cross-site scripting attack.

Predictions

Exploit likelihood

20%

Patch ETA

—

Heuristic predictions, AS-IS, for prioritization only.

Mitigations

Mitigation details

Source: Red Hat Errata — Red Hat Inc. · View original ↗ · Open-Errata-API

Description webkitgtk: Visiting a maliciously crafted website may lead to a cross-site scripting attack Red Hat statement To exploit this flaw, an attacker needs to trick a user into visiting a maliciously crafted web page. Due to this reason, this flaw has been rated with a moderate severity. CVSS v3: 4.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N) Errata / fixed releases…

Description

webkitgtk: Visiting a maliciously crafted website may lead to a cross-site scripting attack

Red Hat statement

To exploit this flaw, an attacker needs to trick a user into visiting a maliciously crafted web page. Due to this reason, this flaw has been rated with a moderate severity.

CVSS v3: 4.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N)

Errata / fixed releases

Product	Package	Advisory	Released
Red Hat Enterprise Linux 8	`webkit2gtk3-0:2.52.3-1.el8_10`	RHSA-2026:10702	2026-04-27T00:00:00Z
Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support	`webkit2gtk3-0:2.52.3-1.el8_4`	RHSA-2026:16056	2026-05-11T00:00:00Z
Red Hat Enterprise Linux 8.4 Extended Update Support Long-Life Add-On	`webkit2gtk3-0:2.52.3-1.el8_4`	RHSA-2026:16056	2026-05-11T00:00:00Z
Red Hat Enterprise Linux 8.6 Advanced Mission Critical Update Support	`webkit2gtk3-0:2.52.3-1.el8_6`	RHSA-2026:13845	2026-05-05T00:00:00Z
Red Hat Enterprise Linux 8.6 Telecommunications Update Service	`webkit2gtk3-0:2.52.3-1.el8_6`	RHSA-2026:13845	2026-05-05T00:00:00Z
Red Hat Enterprise Linux 8.6 Update Services for SAP Solutions	`webkit2gtk3-0:2.52.3-1.el8_6`	RHSA-2026:13845	2026-05-05T00:00:00Z
Red Hat Enterprise Linux 8.8 Telecommunications Update Service	`webkit2gtk3-0:2.52.3-1.el8_8`	RHSA-2026:11814	2026-04-29T00:00:00Z
Red Hat Enterprise Linux 8.8 Update Services for SAP Solutions	`webkit2gtk3-0:2.52.3-1.el8_8`	RHSA-2026:11814	2026-04-29T00:00:00Z
Red Hat Enterprise Linux 9	`webkit2gtk3-0:2.52.3-1.el9_8`	RHSA-2026:19206	2026-05-19T00:00:00Z
Red Hat Enterprise Linux 9	`webkit2gtk3-0:2.52.3-0.el9_7.1`	RHSA-2026:9692	2026-04-22T00:00:00Z
Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions	`webkit2gtk3-0:2.52.3-1.el9_0`	RHSA-2026:19535	2026-05-20T00:00:00Z
Red Hat Enterprise Linux 9.2 Update Services for SAP Solutions	`webkit2gtk3-0:2.52.3-1.el9_2`	RHSA-2026:16695	2026-05-13T00:00:00Z
Red Hat Enterprise Linux 9.4 Extended Update Support	`webkit2gtk3-0:2.52.3-1.el9_4`	RHSA-2026:14659	2026-05-07T00:00:00Z
Red Hat Enterprise Linux 9.6 Extended Update Support	`webkit2gtk3-0:2.52.3-1.el9_6`	RHSA-2026:11329	2026-04-28T00:00:00Z

Package state

Product	Package	State
Red Hat Enterprise Linux 6	`webkitgtk`	Out of support scope
Red Hat Enterprise Linux 7	`webkitgtk3`	Not affected
Red Hat Enterprise Linux 7	`webkitgtk4`	Affected

Apply commands

bash fix

Apply RHSA-2026:10702 for Red Hat Enterprise Linux 8

yum update -y webkit2gtk3
# or:
dnf upgrade -y webkit2gtk3

Affected

Vendor	Product	Version
redhat	Red Hat Enterprise Linux 7	`Not affected`
redhat	Red Hat Enterprise Linux 7	`Affected`

OS impact

SUSE Affected 1 release

Version	Status	Fixed in
—	Affected	—

Debian Mixed 5 releases

Version	Status	Fixed in
trixie	Fixed	`2.52.3-2~deb13u1`
sid	Fixed	`2.52.1-1`
forky	Fixed	`2.52.1-1`
bullseye	Affected	—
bookworm	Affected	—

ios Fixed 2 releases

Version	Status	Fixed in
26.4	Fixed	—
18.7.7	Fixed	—

macOS Fixed 1 release

Version	Status	Fixed in
26.4	Fixed	—

Red Hat Fixed 2 releases

Version	Status	Fixed in
9	Fixed	—
8	Fixed	—

Rocky Linux Fixed 1 release

Version	Status	Fixed in
9	Fixed	—

safari Fixed 1 release

Version	Status	Fixed in
26.4	Fixed	—

References

Community-verified mitigations for this CVE will appear above when contributors publish them.

Verify integrity in audit chain (admin only). AS-IS.