CVE-2026-20643: Vulnerability in WebKit Navigation API May Bypass Same Origin Policy

Apple released a Background Security Improvements update addressing CVE-2026-20643, a WebKit cross-origin Navigation API vulnerability that could allow malicious web content to bypass the Same Origin Policy across iPhone, iPad, and Mac; the fix was delivered via iOS/iPadOS/macOS 26.3.1 (a) updates, users are advised to enable automatic background installs, and Apple reported no observed in-the-wild exploitation.