Firefox for iOS
CVE-2026-14906
MEDIUM
Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
User must actively save PDF (UI:R); overwrite affects integrity and availability within sandbox, not confidentiality.
Primary rating from Vendor (mozilla).
CVSS VectorVendor: mozilla
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Lifecycle Timeline
4DescriptionCVE.org
Pages with malicious titles could potentially allow saved PDF content to overwrite PDF files or bundled content within the Firefox for iOS application sandbox. This vulnerability was fixed in Firefox for iOS 152.4.
AnalysisAI
PDF save functionality in Firefox for iOS allows maliciously crafted page titles to manipulate the output file path, enabling overwrites of existing PDF files or bundled application content within the Firefox iOS sandbox. All versions prior to 152.4 on Apple iOS devices are affected. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires three specific conditions: (1) the victim must be running Firefox for iOS prior to version 152.4 on an Apple iOS device - desktop and Android versions are not affected; (2) the victim must actively use the 'Save as PDF' functionality on the attacker-controlled page, meaning passive browsing alone is insufficient; (3) the attacker must control the HTML page title, which is trivially satisfied for any attacker-operated web server. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The NVD CVSS 3.1 score of 5.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N) presents internal inconsistencies worth flagging: the description describes file overwriting - an integrity impact - yet the vector encodes I:N and C:L with no explanation. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker hosts a webpage containing a crafted HTML title tag with path traversal sequences or special characters (e.g., '../documents/target.pdf'). When an iOS user browsing with Firefox visits the page and uses the 'Save as PDF' share action, the unsanitized title is used to construct the output file path, causing the generated PDF to overwrite an existing file within the Firefox app sandbox rather than being saved at the expected location. … |
| Remediation | Vendor-released patch: Firefox for iOS 152.4. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
More in Firefox For Ios
View allCookie leakage in Firefox for iOS prior to 152.0 allows an attacker-controlled suffix domain to intercept cookies intend
Firefox for iOS misrepresents attacker-controlled domains as trusted origins through improper rendering of right-to-left
Cookie injection in Firefox for iOS (all versions prior to 152.0) arises from the browser's TemporaryDocument PDF handli
Same technique File Upload
View allShare
External POC / Exploit Code
Leaving vuln.today