Login Sign Up

CVE-2026-20660

7.5 HIGH
Path Traversal

📋 TL;DR

This CVE describes a path handling vulnerability (CWE-22) in multiple Apple operating systems and Safari that allows a remote attacker to write arbitrary files to affected systems. The vulnerability affects macOS, iOS, iPadOS, visionOS, and Safari users running outdated versions. Successful exploitation could lead to system compromise or data manipulation.

💻 Affected Systems

Products:
  • macOS
  • iOS
  • iPadOS
  • visionOS
  • Safari
Versions: Versions prior to macOS Tahoe 26.3, macOS Sonoma 14.8.4, iOS 18.7.5, iPadOS 18.7.5, visionOS 26.3, iOS 26.3, iPadOS 26.3, Safari 26.3
Operating Systems: macOS, iOS, iPadOS, visionOS
Default Config Vulnerable: ⚠️ Yes
Notes: All default configurations of affected versions are vulnerable; no special configuration required for exploitation.

📦 What is this software?

Ipados by Apple

View all CVEs affecting Ipados →

Ipados by Apple

View all CVEs affecting Ipados →

Iphone Os by Apple

View all CVEs affecting Iphone Os →

Iphone Os by Apple

View all CVEs affecting Iphone Os →

Macos by Apple

macOS is Apple's desktop and laptop operating system powering Mac computers used by millions of professionals, developers, creative professionals, and enterprise users worldwide. Built on a Unix foundation with the Darwin kernel and modern Cocoa frameworks, macOS delivers a seamless ecosystem integr...

Learn more about Macos →

Macos by Apple

macOS is Apple's desktop and laptop operating system powering Mac computers used by millions of professionals, developers, creative professionals, and enterprise users worldwide. Built on a Unix foundation with the Darwin kernel and modern Cocoa frameworks, macOS delivers a seamless ecosystem integr...

Learn more about Macos →

Safari by Apple

View all CVEs affecting Safari →

Visionos by Apple

View all CVEs affecting Visionos →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote attacker gains arbitrary file write capability leading to system compromise, data destruction, or malware installation with system-level privileges.

🟠

Likely Case

Remote attacker writes malicious files to user-accessible locations, potentially leading to privilege escalation, data exfiltration, or persistence mechanisms.

🟢

If Mitigated

With proper network segmentation and least privilege controls, impact limited to isolated systems with minimal critical data exposure.

🌐 Internet-Facing: HIGH - Remote exploitation vector exists, allowing attackers to target systems without authentication.
🏢 Internal Only: MEDIUM - Internal systems still vulnerable but require attacker to have network access; reduced compared to internet-facing systems.

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ⚠️ Yes
Complexity: MEDIUM

Remote exploitation possible without authentication; path traversal/file write vulnerabilities typically require some attacker interaction or specific conditions.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: macOS Tahoe 26.3, macOS Sonoma 14.8.4, iOS 18.7.5, iPadOS 18.7.5, visionOS 26.3, iOS 26.3, iPadOS 26.3, Safari 26.3

Vendor Advisory: https://support.apple.com/en-us/126346

Restart Required: Yes

Instructions:

1. Open System Settings > General > Software Update. 2. Install available updates for your operating system. 3. For Safari, update through App Store or system updates. 4. Restart device after installation.

🔧 Temporary Workarounds

Network Segmentation

all

Restrict network access to affected systems, especially from untrusted networks.

Application Whitelisting

macOS

Implement application control to prevent execution of unauthorized files.

🧯 If You Can't Patch

  • Isolate affected systems from internet and untrusted networks
  • Implement strict file system monitoring and integrity checking

🔍 How to Verify

Check if Vulnerable:

Check system version: macOS - About This Mac; iOS/iPadOS - Settings > General > About; Safari - Safari > About Safari

Check Version:

macOS: sw_vers -productVersion; iOS/iPadOS: Settings > General > About > Version

Verify Fix Applied:

Verify installed version matches or exceeds patched versions listed in fix_official.patch_version

📡 Detection & Monitoring

Log Indicators:

  • Unexpected file write operations in system logs
  • Suspicious path traversal patterns in web server logs

Network Indicators:

  • Unusual outbound connections following file write attempts
  • HTTP requests with path traversal patterns

SIEM Query:

source="*system.log*" AND ("file write" OR "path traversal") OR source="*web.log*" AND ("../" OR "..\" OR "%2e%2e")

📊 Metadata

CVE ID: CVE-2026-20660
CVSS v3 Score: 7.5 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
CWE: CWE-22
EPSS Score: 0.06% exploit probability (17.6th percentile)
Published: February 11, 2026
Last Updated: February 13, 2026

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2026-20660, you might also want to check these:

CVE-2024-43955 10.0

CVE-2024-43955 is an unauthenticated path traversal vulnerability in the Droip WordPress plugin that...

Same vulnerability type (CWE-22)
CVE-2025-54261 10.0

This critical path traversal vulnerability in Adobe ColdFusion allows attackers to escape restricted...

Same vulnerability type (CWE-22)
CVE-2024-40628 10.0

This critical vulnerability in JumpServer allows attackers to read arbitrary files from the Celery c...

Same vulnerability type (CWE-22)