CVE-2026-9309
Firefox for iOS Reader View HTML Injection Leads to XSS
Publication date: 2026-06-01
Last updated on: 2026-06-01
Assigner: Mozilla Corporation
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| mozilla | firefox_for_ios | 151.2 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-UNKNOWN |
Attack-Flow Graph
AI Powered Q&A
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, update Firefox for iOS to version 151.2 or later, where the issue with improper HTML tag escaping in JSON-LD metadata within Reader View has been fixed.
Can you explain this vulnerability to me?
This vulnerability in Firefox for iOS Reader View occurs because HTML tags in JSON-LD metadata were not properly escaped.
A malicious webpage could exploit this flaw by injecting markup that changes how Reader View behaves and causes sensitive URL parameters to be leaked.
These leaked parameters could then be used to access internal pages and potentially allow arbitrary JavaScript execution within an internal origin.
How can this vulnerability impact me? :
The impact of this vulnerability includes the exposure of sensitive URL parameters which could lead to unauthorized access to internal pages.
Additionally, it could enable an attacker to execute arbitrary JavaScript code within an internal origin, potentially compromising the security and integrity of the application.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided information does not specify how this vulnerability affects compliance with common standards and regulations such as GDPR or HIPAA.