Skip to main content

Mondoo

Vulnerability Management
Technology
Services

Solutions

Financial Services
Manufacturing
Healthcare

Resources

Blog
Vulnerability Database
Documentation
GitHub

Company

About
Careers
Partners
Contact

Legal

Privacy
Terms
Imprint

© 2026 Mondoo, Inc.

Log in Get Assessment

CVE-2025-66286 | Mondoo Vulnerability Intelligence

Vulnerability IntelligenceCVE-2025-66286

CVE-2025-66286

MEDIUM4.7

Webkitgtk: authorization bypass through webpage::send-request signal handler

Published Apr 23, 2026

Modified Yesterday

Details

An API design flaw in WebKitGTK and WPE WebKit allows untrusted web content to unexpectedly perform IP connections, DNS lookups, and HTTP requests. Applications expect to use the WebPage::send-request signal handler to approve or reject all network requests. However, certain types of HTTP requests bypass this signal handler.

References

https://access.redhat.com/security/cve/CVE-2025-66286

https://bugs.webkit.org/show_bug.cgi?id=259787

https://bugzilla.redhat.com/show_bug.cgi?id=2424652

https://www.cve.org/CVERecord?id=CVE-2025-66286

CVSS Analysis

CVSS v3.1

4.7

Exploitability

Attack Vector

NetworkAV:N

Attack Complexity

LowAC:L

Privileges Required

NonePR:N

User Interaction

RequiredUI:R

Scope

Scope

ChangedS:C

Impact

Confidentiality

LowC:L

Integrity

NoneI:N

Availability

NoneA:N

4.7/CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:N/A:N

Weakness Type (CWE)

Other

Ecosystems

Timeline

PublishedApr 23, 2026

ModifiedApr 28, 2026