Severity by source
AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:L
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:L
Lifecycle Timeline
4DescriptionCVE.org
Firefox for iOS displayed specially crafted right-to-left (RTL) and internationalized domain names (IDNs) incorrectly in link preview UI surfaces. A crafted RTL hostname could visually reorder portions of the displayed domain, causing attacker-controlled sites to appear as trusted origins. This vulnerability was fixed in Firefox for iOS 151.1.
AnalysisAI
Firefox for iOS misrepresents attacker-controlled domains as trusted origins through improper rendering of right-to-left Unicode characters and internationalized domain names (IDNs) in the link preview UI surface, enabling a spoofing/phishing attack against users on any iOS version prior to 151.1. The CVSS vector (PR:N/UI:R) indicates unauthenticated network-reachable exploitation contingent on user interaction with a crafted link. EPSS at the 5th percentile and SSVC exploitation status of 'none' confirm no active exploitation or public exploit code has been identified at time of analysis, positioning this as a targeted phishing risk rather than a broad automated threat.
Technical ContextAI
CWE-451 (UI Misrepresentation of Critical Information) identifies the root cause: the link preview rendering component in Firefox for iOS fails to neutralize bidirectional Unicode control characters (e.g., U+202E RIGHT-TO-LEFT OVERRIDE) and IDN homograph sequences before display. RTL overrides can visually reorder hostname labels so 'evil.com' renders as 'moc.live' or a recognizable brand name. IDN homograph attacks use visually identical Unicode characters (e.g., Cyrillic 'а' vs. Latin 'a') in registered domains to impersonate trusted origins. The affected CPE (cpe:2.3:a:mozilla:firefox_for_ios:*:*:*:*:*:*:*:*) covers all Firefox for iOS versions without an upper bound prior to the 151.1 fix, and the flaw is isolated to the iOS platform build - Firefox Desktop and Firefox for Android share different rendering paths and are not named in this advisory.
RemediationAI
Upgrade Firefox for iOS to version 151.1 or later, which contains the vendor-released patch per Mozilla security advisory mfsa2026-52 (https://www.mozilla.org/security/advisories/mfsa2026-52/). The update is distributed through the Apple App Store and should be applied as soon as it is available on the target device. If immediate upgrade is blocked by MDM policy or App Store restrictions, the primary compensating control is user awareness: instruct users to type trusted URLs directly into the address bar rather than relying on link preview UI for domain verification, as the address bar rendering is a separate code path. Blocking or restricting access to non-Latin IDN domains at the enterprise DNS or proxy layer can reduce IDN homograph exposure, though this may break legitimate internationalized sites and should be evaluated for operational impact. No network-level control can remediate this client-side rendering defect.
More in Firefox For Ios
View allCookie leakage in Firefox for iOS prior to 152.0 allows an attacker-controlled suffix domain to intercept cookies intend
PDF save functionality in Firefox for iOS allows maliciously crafted page titles to manipulate the output file path, ena
Cookie injection in Firefox for iOS (all versions prior to 152.0) arises from the browser's TemporaryDocument PDF handli
Same technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-31693
GHSA-78h4-7j7j-4p28