The issue was addressed by adding additional logic. This issue is fixed in Safari 26, macOS Tahoe 26. Visiting a malicious website may lead to address bar spoofing.

References

• https://nvd.nist.gov/vuln/detail/CVE-2025-43327
• https://support.apple.com/en-us/125110
• https://support.apple.com/en-us/125113
• http://seclists.org/fulldisclosure/2025/Sep/53
• http://seclists.org/fulldisclosure/2025/Sep/59