Vulnerability · NVD

CVE-2026-9308

MEDIUM 5.4 Published on 2026-06-01

Firefox for iOS Reader View replaced page content in its HTML template before replacing other internal placeholders. A malicious page could include a placeholder string that was later substituted with JSON-LD data, potentially resulting in arbitrary JavaScript execution. This vulnerability was fixed in Firefox for iOS 151.2.

Attack vector : Network No privileges required

Show raw CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N

EPSS 0.04% exploit very unlikely percentile 11.5%

Tracked apps referencing this CVE

For each app: the affected range, the fixing version, and where the tracked app stands today.

Firefox iOS org.mozilla.ios.Firefox

Affected <151.2 Fixed in 151.2 Latest tracked 151.2 patched

Observed affected builds (27)

151.1 151.0 150.3 150.2 150.1 150.0 149.3 149.2 149.1 149.0 148.3 148.2 148.1 148.0 147.5 147.4 147.3 147.2.1 147.2 147.1 147.0 146.1 146.0 145.3 145.2 145.1 145.0

Vulnerable CPE configurations (1)

Vendor	Product	Platform	Versions	CPE 2.3 URI
mozilla	firefox iOS	iOS	<151.2	cpe:2.3:a:mozilla:firefox::::::iphone_os::*

View on NVD ↗