WebKitGTK and WPE WebKit Security Advisory WSA-2026-0002

• Date Reported: March 28, 2026

• Advisory ID: WSA-2026-0002

• CVE identifiers: CVE-2026-20643, CVE-2026-20664, CVE-2026-20665, CVE-2026-20691, CVE-2026-28857, CVE-2026-28859, CVE-2026-28861, CVE-2026-28871

Several vulnerabilities were discovered in WebKitGTK and WPE WebKit.

• CVE-2026-20643
  • Versions affected: WebKitGTK and WPE WebKit before 2.52.1.
  • Credit to Thomas Espach.
  • Impact: Processing maliciously crafted web content may bypass Same Origin Policy. Description: A cross-origin issue in the Navigation API was addressed with improved input validation.
  • WebKit Bugzilla: 306050
• CVE-2026-20664
  • Versions affected: WebKitGTK and WPE WebKit before 2.52.1.
  • Credit to Daniel Rhea, Söhnke Benedikt Fischedick (Tripton), Emrovsky & Switch, Yevhen Pervushyn.
  • Impact: Processing maliciously crafted web content may lead to an unexpected process crash. Description: The issue was addressed with improved memory handling.
  • WebKit Bugzilla: 306136
• CVE-2026-20665
  • Versions affected: WebKitGTK and WPE WebKit before 2.52.1.
  • Credit to webb.
  • Impact: Processing maliciously crafted web content may prevent Content Security Policy from being enforced. Description: This issue was addressed through improved state management.
  • WebKit Bugzilla: 304951
• CVE-2026-20691
  • Versions affected: WebKitGTK and WPE WebKit before 2.52.1.
  • Credit to Gongyu Ma (@Mezone0).
  • Impact: A maliciously crafted webpage may be able to fingerprint the user. Description: An authorization issue was addressed with improved state management.
  • WebKit Bugzilla: 306827
• CVE-2026-28857
  • Versions affected: WebKitGTK and WPE WebKit before 2.52.1.
  • Credit to Narcis Oliveras Fontàs, Söhnke Benedikt Fischedick (Tripton), Daniel Rhea, Nathaniel Oh (@calysteon).
  • Impact: Processing maliciously crafted web content may lead to an unexpected process crash. Description: The issue was addressed with improved memory handling.
  • WebKit Bugzilla: 307723
• CVE-2026-28859
  • Versions affected: WebKitGTK and WPE WebKit before 2.52.1.
  • Credit to greenbynox, Arni Hardarson.
  • Impact: A malicious website may be able to process restricted web content outside the sandbox. Description: The issue was addressed with improved memory handling.
  • WebKit Bugzilla: 308248
• CVE-2026-28861
  • Versions affected: WebKitGTK and WPE WebKit before 2.52.1.
  • Credit to Hongze Wu and Shuaike Dong from Ant Group Infrastructure Security Team.
  • Impact: A malicious website may be able to access script message handlers intended for other origins. Description: A logic issue was addressed with improved state management.
  • WebKit Bugzilla: 307014
• CVE-2026-28871
  • Versions affected: WebKitGTK and WPE WebKit before 2.52.1.
  • Credit to @hamayanhamayan.
  • Impact: Visiting a maliciously crafted website may lead to a cross-site scripting attack. Description: A logic issue was addressed with improved checks.
  • WebKit Bugzilla: 305859

We recommend updating to the latest stable versions of WebKitGTK and WPE WebKit. It is the best way to ensure that you are running safe versions of WebKit. Please check our websites for information about the latest stable releases.

Further information about WebKitGTK and WPE WebKit security advisories can be found at: webkitgtk.org/security.html or wpewebkit.org/security.