Cyber Posture

CVE-2026-20660

High

Published: 11 February 2026

Published
11 February 2026
Modified
02 April 2026
KEV Added
Patch
CVSS Score 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
EPSS Score 0.0002 6.4th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-20660 is a high-severity Path Traversal (CWE-22) vulnerability in Apple Ipados. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Ingress Tool Transfer (T1105); ranked at the 6.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

Threat & Defense at a Glance

What attackers do: exploitation maps to Ingress Tool Transfer (T1105).
Threat & Defense Details

Likely Mitigating ControlsAI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

SI-10 Information Input Validation
addresses: CWE-22

Validates pathnames and filenames to prevent traversal outside intended directories.

MITRE ATT&CK Enterprise TechniquesAI

T1105 Ingress Tool Transfer Command And Control
Adversaries may transfer tools or other files from an external system into a compromised environment.
attack.mitre.org →
Why these techniques?

Arbitrary file write via path traversal directly enables remote ingress/transfer of attacker-controlled files onto the system.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

A path handling issue was addressed with improved logic. This issue is fixed in Safari 26.3, iOS 18.7.5 and iPadOS 18.7.5, iOS 26.3 and iPadOS 26.3, macOS Sequoia 15.7.5, macOS Sonoma 14.8.4, macOS Tahoe 26.3, visionOS 26.3. A remote user…

more

may be able to write arbitrary files.

Deeper analysisAI

CVE-2026-20660 is a path handling vulnerability, classified under CWE-22 (Improper Limitation of a Pathname to a Restricted Directory), that enables a remote user to write arbitrary files. It affects Apple's Safari browser and operating systems including iOS and iPadOS prior to versions 18.7.5 and 26.3, macOS Sequoia prior to 15.7.5, macOS Sonoma prior to 14.8.4, macOS Tahoe prior to 26.3, and visionOS prior to 26.3. The issue was addressed through improved logic in the affected components, with a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N), indicating high integrity impact without confidentiality or availability effects.

A remote attacker can exploit this vulnerability over the network with low complexity, requiring no privileges, authentication, or user interaction. Successful exploitation allows the attacker to write arbitrary files on the targeted system, potentially leading to persistent access, data tampering, or further compromise depending on the write locations and privileges.

Apple's security advisories detail the fixes in the specified versions and recommend updating to the patched releases for mitigation. Relevant updates are documented at https://support.apple.com/en-us/126346, https://support.apple.com/en-us/126347, https://support.apple.com/en-us/126348, https://support.apple.com/en-us/126350, and https://support.apple.com/en-us/126353.

Details

CWE(s)
NVD-CWE-noinfoCWE-22

Affected Products

apple
safari
≤ 26.3
apple
ipados
≤ 18.7.5 · 26.0 — 26.3
apple
iphone os
≤ 18.7.5 · 26.0 — 26.3
apple
macos
≤ 14.8.4 · 26.0 — 26.3
apple
visionos
≤ 26.3

CVEs Like This One

CVE-2026-20688Same product: Apple Ipados
CVE-2026-20615Same product: Apple Ipados
CVE-2025-31184Same product: Apple Ipados
CVE-2026-20652Same product: Apple Ipados
CVE-2025-24180Same product: Apple Ipados
CVE-2025-24264Same product: Apple Ipados
CVE-2026-20616Same product: Apple Ipados
CVE-2025-24154Same product: Apple Ipados
CVE-2026-28876Same product: Apple Ipados
CVE-2025-43428Same product: Apple Ipados

References