CVE-2026-20660
Published: 11 February 2026
Summary
CVE-2026-20660 is a high-severity Path Traversal (CWE-22) vulnerability in Apple Ipados. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Ingress Tool Transfer (T1105); ranked at the 6.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2026-20660 is a path handling vulnerability, classified under CWE-22 (Improper Limitation of a Pathname to a Restricted Directory), that enables a remote user to write arbitrary files. It affects Apple's Safari browser and operating systems including iOS and iPadOS prior to versions 18.7.5 and 26.3, macOS Sequoia prior to 15.7.5, macOS Sonoma prior to 14.8.4, macOS Tahoe prior to 26.3, and visionOS prior to 26.3. The issue was addressed through improved logic in the affected components, with a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N), indicating high integrity impact without confidentiality or availability effects.
A remote attacker can exploit this vulnerability over the network with low complexity, requiring no privileges, authentication, or user interaction. Successful exploitation allows the attacker to write arbitrary files on the targeted system, potentially leading to persistent access, data tampering, or further compromise depending on the write locations and privileges.
Apple's security advisories detail the fixes in the specified versions and recommend updating to the patched releases for mitigation. Relevant updates are documented at https://support.apple.com/en-us/126346, https://support.apple.com/en-us/126347, https://support.apple.com/en-us/126348, https://support.apple.com/en-us/126350, and https://support.apple.com/en-us/126353.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-5921
Vulnerability details
A path handling issue was addressed with improved logic. This issue is fixed in Safari 26.3, iOS 18.7.5 and iPadOS 18.7.5, iOS 26.3 and iPadOS 26.3, macOS Sequoia 15.7.5, macOS Sonoma 14.8.4, macOS Tahoe 26.3, visionOS 26.3. A remote user…
more
may be able to write arbitrary files.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Arbitrary file write via path traversal directly enables remote ingress/transfer of attacker-controlled files onto the system.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly mitigates CVE-2026-20660 by requiring timely application of vendor patches that fix the path handling vulnerability in Safari and affected Apple OS versions.
Enforces validation of untrusted path inputs from remote sources to block directory traversal exploits underlying this CWE-22 vulnerability.
Enforces access control policies to restrict unauthorized file writes enabled by the path handling flaw in browser components.