CVE-2025-3839
Unknown Unknown - Not Provided
Insecure External URL Handling in Epiphany Enables Remote Code Execution

Publication date: 2026-01-23

Last updated on: 2026-01-23

Assigner: Fedora Project

Description
A flaw was found in Epiphany, a tool that allows websites to open external URL handler applications with minimal user interaction. This design can be misused to exploit vulnerabilities within those handlers, making them appear remotely exploitable. The browser fails to properly warn or gate this action, resulting in potential code execution on the client device via trusted UI behavior.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-01-23
Last Modified
2026-01-23
Generated
2026-06-16
AI Q&A
2026-01-23
EPSS Evaluated
2026-06-14
NVD
CVE-2025-3839
EUVD
EUVD-2026-4436
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
epiphany epiphany to 47.5 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-356 The product's user interface does not warn the user before undertaking an unsafe action on behalf of that user. This makes it easier for attackers to trick users into inflicting damage to their system.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability in the Epiphany web browser allows websites to open external URL handler applications with minimal user interaction and without proper warnings. Malicious websites can exploit this flaw to invoke local applications registered to handle specific URL schemes, potentially leading to code execution on the client device if those handler applications are vulnerable. Essentially, the browser fails to properly gate or warn this action, misleading users and expanding the attack surface from the browser to local applications. [1]

Impact Analysis

If exploited, this vulnerability can lead to remote code execution on your device through trusted UI behavior. Malicious websites could trigger vulnerable local applications to run harmful code within your user session, potentially compromising your system's security and privacy. [1]

Mitigation Strategies

To mitigate this vulnerability, you should update the Epiphany web browser to version 48.1 or later (or 47.5 or later on Linux systems) where the issue has been fixed. Additionally, consider restricting or monitoring the use of external URL handlers to reduce the risk of exploitation. [1]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-3839. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart