Apple
CVE-2026-2919
MEDIUM
Severity by source
AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
Lifecycle Timeline
2DescriptionCVE.org
Malicious scripts could display attacker-controlled web content under spoofed domains in Focus for iOS by stalling a _self navigation to an invalid port and triggering an iframe redirect, causing the UI to display a trusted domain without user interaction. This vulnerability affects Focus for iOS < 148.2.
AnalysisAI
Domain spoofing in Focus for iOS versions prior to 148.2 allows remote attackers to display malicious content under trusted domain names through navigation stalling and iframe redirection techniques, without requiring user interaction beyond the initial page load. An attacker can leverage this to conduct phishing attacks or distribute misleading content by presenting spoofed trusted domains in the browser UI. No patch is currently available for this vulnerability.
Technical ContextAI
This vulnerability (CWE-451: User Interface (UI) Misrepresentation of Critical Information) Malicious scripts could display attacker-controlled web content under spoofed domains in Focus for iOS by stalling a _self navigation to an invalid port and triggering an iframe redirect, causing the UI to display a trusted domain without user interaction. This vulnerability affects Focus for iOS < 148.2.
RemediationAI
Monitor vendor advisories for a patch. Restrict network access to the affected service where possible.
Same technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today