Spoofing Vulnerability in Safari Browser by Apple
CVE-2025-31266

4.3MEDIUM

Key Information:

Vendor: Apple
Status: Mac OS; Safari
Vendor: CVE Published:; 21 November 2025

What is CVE-2025-31266?

A vulnerability in the Safari browser allows potential attackers to spoof the domain name displayed in pop-up window titles. This can mislead users into thinking they are interacting with a legitimate website, increasing the risk of phishing and other social engineering attacks. The issue was addressed through improved truncation methods, safeguarding users from deceptive practices that could occur when navigating the web.

Affected Version(s)

macOS < 15.5

Safari < 18.5

References

https://support.apple.com/en-us/122716

https://support.apple.com/en-us/122719

CVSS V3.1

Score:

4.3

Severity:

MEDIUM

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Nov 21, 2025
Vulnerability Reserved
Mar 27, 2025

JSON