CVE-2026-2032
Received Received - Intake
HTML Spoofing via Script Injection in Firefox for iOS

Publication date: 2026-02-16

Last updated on: 2026-04-13

Assigner: Mozilla Corporation

Description
Malicious scripts that interrupt new tab page loading could cause desynchronization between the address bar and page content, allowing the attacker to spoof arbitrary HTML under a trusted domain. This vulnerability was fixed in Firefox for iOS 147.2.1.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-16
Last Modified
2026-04-13
Generated
2026-05-27
AI Q&A
2026-02-16
EPSS Evaluated
2026-05-25
NVD
CVE-2026-2032
EUVD
EUVD-2026-6083
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
mozilla firefox to 147.2.1 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-451 The user interface (UI) does not properly represent critical information to the user, allowing the information - or its source - to be obscured or spoofed. This is often a component in phishing attacks.
CWE-290 This attack-focused weakness is caused by incorrectly implemented authentication schemes that are subject to spoofing attacks.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability occurs in Firefox for iOS versions before 147.2.1, where malicious scripts can interrupt the loading of new tab pages. This interruption causes a desynchronization between the address bar and the actual page content.

As a result, an attacker can spoof arbitrary HTML content under a trusted domain, meaning the address bar shows a legitimate URL while the page content is fraudulent.


How can this vulnerability impact me? :

The vulnerability can mislead users by displaying fraudulent web pages while showing legitimate URLs in the address bar.

This can enable attackers to conduct website spoofing attacks, potentially tricking users into divulging sensitive information or performing unintended actions.


How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:

I don't know


How can this vulnerability be detected on my network or system? Can you suggest some commands?

I don't know


What immediate steps should I take to mitigate this vulnerability?

The immediate step to mitigate this vulnerability is to update Firefox for iOS to version 147.2.1 or later.

This update contains the fix that prevents attackers from exploiting the desynchronization between the address bar and page content, thereby stopping website spoofing attacks.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart