Skip to main content

Firefox Focus CVE-2026-11799

| EUVDEUVD-2026-35837 HIGH
Cross-site Scripting (XSS) (CWE-79)
2026-06-09 security@mozilla.org GHSA-2j9g-whc6-7j55
7.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

4
Analysis Generated
Jun 10, 2026 - 16:27 vuln.today
CVSS changed
Jun 10, 2026 - 16:22 NVD
7.5 (HIGH)
CVE Published
Jun 09, 2026 - 21:17 nvd
UNKNOWN (no severity yet)
CVE Published
Jun 09, 2026 - 21:17 nvd
HIGH 7.5

DescriptionNVD

UXSS in Focus for iOS / Klar Webkit navigation. This vulnerability was fixed in Focus for iOS 151.3.1 and Klar for iOS 151.3.1.

AnalysisAI

Universal cross-site scripting (UXSS) in Mozilla Focus and Klar for iOS allows remote attackers to inject script into the context of arbitrary web origins by abusing WebKit navigation handling in the browser. The flaw, reported by Mozilla and tracked as EUVD-2026-35837, was corrected in Focus for iOS 151.3.1 and Klar for iOS 151.3.1. EPSS is very low (0.02%, 5th percentile) and there is no public exploit identified at time of analysis, but the CVSS of 7.5 reflects the high confidentiality impact achievable with no privileges.

Technical ContextAI

Focus and Klar are Mozilla's privacy-focused mobile browsers for iOS, both of which - per Apple platform requirements - render web content using Apple's WebKit engine rather than Gecko. The vulnerability is a Universal XSS (UXSS) in the navigation pipeline, meaning the same-origin policy that normally isolates one site from another is broken during a navigation transition, allowing script delivered from one origin to execute in the context of another. This maps to CWE-79 (Improper Neutralization of Input During Web Page Generation) at the browser-engine level, where origin tracking and document/context binding during navigation is the root-cause class rather than a typical reflected/stored XSS in a web app.

Affected ProductsAI

Mozilla Focus for iOS prior to 151.3.1 and Mozilla Klar for iOS prior to 151.3.1 are affected; Klar is the German-market rebrand of Focus and shares the same codebase. No CPE strings were provided in the input data, so exact product identifiers cannot be cited; affected versions are taken from Mozilla's advisory MFSA 2026-55 at https://www.mozilla.org/security/advisories/mfsa2026-55/ and the originating bug at https://bugzilla.mozilla.org/show_bug.cgi?id=1975667. Desktop Firefox, Firefox for Android, and Firefox iOS (the full browser) are not listed as affected in the available data.

RemediationAI

Vendor-released patch: Focus for iOS 151.3.1 and Klar for iOS 151.3.1 - upgrade both apps via the Apple App Store immediately, and for MDM-managed iOS fleets push the updated versions through the managed app catalog. Mozilla's advisory at https://www.mozilla.org/security/advisories/mfsa2026-55/ and bug https://bugzilla.mozilla.org/show_bug.cgi?id=1975667 are the authoritative references. Until the update is applied, compensating controls are limited because the flaw is in the in-app web engine: advise users not to follow untrusted links inside Focus/Klar, switch temporarily to Safari or full Firefox iOS (which use the same WebKit engine but a different navigation wrapper and are not listed as affected), or restrict the app via MDM web content filters to a known-good allowlist of domains; the trade-off of the allowlist approach is that it defeats Focus/Klar's general-purpose browsing use case and is only practical for kiosk-style deployments.

Share

CVE-2026-11799 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy