CVE-2026-2032
Received Received - Intake

HTML Spoofing via Script Injection in Firefox for iOS

Vulnerability report for CVE-2026-2032, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-02-16

Last updated on: 2026-04-13

Assigner: Mozilla Corporation

Description

Malicious scripts that interrupt new tab page loading could cause desynchronization between the address bar and page content, allowing the attacker to spoof arbitrary HTML under a trusted domain. This vulnerability was fixed in Firefox for iOS 147.2.1.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-02-16
Last Modified
2026-04-13
Generated
2026-07-06
AI Q&A
2026-02-16
EPSS Evaluated
2026-07-04
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
mozilla firefox to 147.2.1 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-290 This attack-focused weakness is caused by incorrectly implemented authentication schemes that are subject to spoofing attacks.
CWE-451 The user interface (UI) does not properly represent critical information to the user, allowing the information - or its source - to be obscured or spoofed. This is often a component in phishing attacks.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability occurs in Firefox for iOS versions before 147.2.1, where malicious scripts can interrupt the loading of new tab pages. This interruption causes a desynchronization between the address bar and the actual page content.

As a result, an attacker can spoof arbitrary HTML content under a trusted domain, meaning the address bar shows a legitimate URL while the page content is fraudulent.

Impact Analysis

The vulnerability can mislead users by displaying fraudulent web pages while showing legitimate URLs in the address bar.

This can enable attackers to conduct website spoofing attacks, potentially tricking users into divulging sensitive information or performing unintended actions.

Compliance Impact

I don't know

Detection Guidance

I don't know

Mitigation Strategies

The immediate step to mitigate this vulnerability is to update Firefox for iOS to version 147.2.1 or later.

This update contains the fix that prevents attackers from exploiting the desynchronization between the address bar and page content, thereby stopping website spoofing attacks.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-2032. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart