CVE-2026-2032
Received Received - Intake
HTML Spoofing via Script Injection in Firefox for iOS

Publication date: 2026-02-16

Last updated on: 2026-04-13

Assigner: Mozilla Corporation

Description
Malicious scripts that interrupt new tab page loading could cause desynchronization between the address bar and page content, allowing the attacker to spoof arbitrary HTML under a trusted domain. This vulnerability was fixed in Firefox for iOS 147.2.1.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-16
Last Modified
2026-04-13
Generated
2026-06-16
AI Q&A
2026-02-16
EPSS Evaluated
2026-06-14
NVD
CVE-2026-2032
EUVD
EUVD-2026-6083
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
mozilla firefox to 147.2.1 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-451 The user interface (UI) does not properly represent critical information to the user, allowing the information - or its source - to be obscured or spoofed. This is often a component in phishing attacks.
CWE-290 This attack-focused weakness is caused by incorrectly implemented authentication schemes that are subject to spoofing attacks.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability occurs in Firefox for iOS versions before 147.2.1, where malicious scripts can interrupt the loading of new tab pages. This interruption causes a desynchronization between the address bar and the actual page content.

As a result, an attacker can spoof arbitrary HTML content under a trusted domain, meaning the address bar shows a legitimate URL while the page content is fraudulent.

Impact Analysis

The vulnerability can mislead users by displaying fraudulent web pages while showing legitimate URLs in the address bar.

This can enable attackers to conduct website spoofing attacks, potentially tricking users into divulging sensitive information or performing unintended actions.

Compliance Impact

I don't know

Detection Guidance

I don't know

Mitigation Strategies

The immediate step to mitigate this vulnerability is to update Firefox for iOS to version 147.2.1 or later.

This update contains the fix that prevents attackers from exploiting the desynchronization between the address bar and page content, thereby stopping website spoofing attacks.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-2032. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart