Vulnerability · NVD

CVE-2026-8706

HIGH 6.5 Published on 2026-05-19

Firefox for iOS hosted Reader mode on an unauthenticated local web server, allowing another application on the same device to request arbitrary URLs and receive the response rendered with the signed-in user's cookies. This vulnerability was fixed in Firefox for iOS 151.0.

Attack vector : Adjacent network No privileges required No user interaction

Show raw CVSS vector

CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

EPSS 0.02% exploit very unlikely percentile 5.3%

Tracked apps referencing this CVE

For each app: the affected range, the fixing version, and where the tracked app stands today.

Firefox iOS org.mozilla.ios.Firefox

Affected <151.0 Fixed in 151.0 Latest tracked 151.2 patched

Vulnerable CPE configurations (1)

Vendor	Product	Platform	Versions	CPE 2.3 URI
mozilla	firefox iOS	iOS	<151.0	cpe:2.3:a:mozilla:firefox::::::iphone_os::*

View on NVD ↗