Zero Day MonitorZDM

← Back to list

4.7

CVE-2025-66286

red hat · red hat enterprise linux

Webkitgtk: authorization bypass through webpage::send-request signal handler

Description

An API design flaw in WebKitGTK and WPE WebKit allows untrusted web content to unexpectedly perform IP connections, DNS lookups, and HTTP requests. Applications expect to use the WebPage::send-request signal handler to approve or reject all network requests. However, certain types of HTTP requests bypass this signal handler.

Affected Products

Vendor	Product	Versions
red hat	red hat enterprise linux	—

Also Affects

Downstream vendors/products affected by this vulnerability

Vendor	Product	Source	Confidence
open source	open source webkitgtk	cert_advisory	90%

References

https://access.redhat.com/security/cve/CVE-2025-66286(vdb-entry, x_refsource_REDHAT)
https://bugs.webkit.org/show_bug.cgi?id=259787
https://bugzilla.redhat.com/show_bug.cgi?id=2424652(issue-tracking, x_refsource_REDHAT)

Related News (2 articles)

Tier B

BSI Advisories4d ago

[NEU] [UNGEPATCHT] [mittel] WebKitGTK: Schwachstelle ermöglicht Offenlegung von Informationen

→ No new info (linked only)

Tier C

VulDB5d ago

CVE-2025-66286 | WebKitGTK/WPE WebKit WebPage::send-request authorization

→ No new info (linked only)

CVSS 3.14.7 MEDIUM

VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:N/A:N

CISA KEV❌ No

Actively exploited❌ No

CWECWE-639

PublishedApr 23, 2026

Last enriched5d agov2

Trending Score20

Source articles2

Independent2

Info Completeness6/14

Missing: versions, cvss, epss, kev, exploit, patch, iocs, mitre_attack

Community Vote

0 upvotes0 downvotes

No votes yet

Related CVEs (5)

NONECVE-2026-7309

Openshift-controller-manager: openshift container platform: information disclosure via environment variable injection

Multiple Vulnerabilities in Red Hat Products Allow Remote Code Execution, File Manipulation, and Denial of Service

NONECVE-2025-14831

Gnutls: gnutls: denial of service via excessive resource consumption during certificate verification

NONECVE-2026-6855EXP

Instructlab: instructlab: path traversal allows arbitrary directory creation and file write

NONECVE-2026-6848

Quay: red hat quay: authentication bypass allows privileged actions without valid credentials

Pin to Dashboard

Verification

State: unverified

Confidence: 0%

Vulnerability Timeline

CVE Published

Apr 23, 2026

Discovered by ZDM

Apr 23, 2026

Updated: description, severity

Apr 23, 2026

Version History

v2

Last enriched 5d ago

v2Tier C5d ago

Updated severity to HIGH, corrected exploit availability to false, and provided a more detailed description of the vulnerability.

descriptionseverity

via VulDB

v15d ago

Initial creation