Skip to main content

9front Mothra CVE-2026-9053

| EUVDEUVD-2026-31401 MEDIUM
Unrestricted Upload of File with Dangerous Type (CWE-434)
2026-05-22 9front GHSA-38r3-cgcv-g3qp
6.9
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
6.9 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:N/R:A/V:X/RE:L/U:Amber

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:N/R:A/V:X/RE:L/U:Amber
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
A
Scope
X

Lifecycle Timeline

3
Analysis Generated
May 22, 2026 - 05:46 vuln.today
CVSS changed
May 22, 2026 - 04:22 NVD
6.9 (MEDIUM)
CVE Published
May 22, 2026 - 02:57 nvd
UNKNOWN (no severity yet)

DescriptionCVE.org

Mothra would respect a default value given by a website for HTML file upload forms. An attacker could craft a website with a malicious default file path, and then conceal this form element.

AnalysisAI

File disclosure via malicious HTML file upload default values in Mothra, the web browser bundled with the 9front Plan 9 fork, allows a remote unauthenticated attacker to exfiltrate arbitrary local files from a victim's filesystem. By crafting a webpage containing a hidden file input element with a pre-set malicious default path, the attacker can cause Mothra to silently submit a targeted local file to an attacker-controlled server upon user interaction. The CVSS 4.0 E:P supplemental metric indicates publicly available proof-of-concept exploit code exists; no CISA KEV listing is present, suggesting exploitation is not yet confirmed at scale.

Technical ContextAI

Mothra is the native graphical web browser in 9front, a community fork of Bell Labs Plan 9 operating system. The vulnerability arises from Mothra's handling of the HTML 'value' attribute on file input elements (<input type='file' value='...'>) - the browser incorrectly honors a server-supplied default file path rather than requiring the user to manually select a file. The affected product is identified by CPE cpe:2.3:a:9front:9front:*:*:*:*:*:*:*:* spanning all commits prior to the fix commit d145acc9ef0da47131af6ad94e87264e04870d47. No CWE is formally assigned, but the root cause aligns with the class of improper input validation or unauthorized information exposure through browser-side trust of server-controlled file references - conceptually adjacent to CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor) and CWE-552 (Files or Directories Accessible to External Parties). The attack requires active user interaction (CVSS UI:A) but no authentication or special network positioning.

RemediationAI

The primary fix is to update Mothra by pulling the 9front source tree to commit d145acc9ef0da47131af6ad94e87264e04870d47 or any later revision, then rebuilding. The upstream fix commit is documented at https://git.9front.org/plan9front/9front/d145acc9ef0da47131af6ad94e87264e04870d47/commit.html. Note that this is a source commit rather than a tagged release, so a patched named release version has not been independently confirmed from the available data. As a compensating control where rebuilding is not immediately possible, users should avoid browsing untrusted or unknown websites with Mothra, particularly any site that presents forms or requests file operations. Disabling or not using Mothra's file upload functionality when visiting untrusted pages reduces exposure, though this may not be granularly configurable without source modification. There are no known side effects to applying the upstream commit fix.

Share

CVE-2026-9053 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy