Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Lifecycle Timeline
4DescriptionNVD
UXSS in Focus for iOS / Klar Webkit navigation. This vulnerability was fixed in Focus for iOS 151.3.1 and Klar for iOS 151.3.1.
AnalysisAI
Universal cross-site scripting (UXSS) in Mozilla Focus and Klar for iOS allows remote attackers to inject script into the context of arbitrary web origins by abusing WebKit navigation handling in the browser. The flaw, reported by Mozilla and tracked as EUVD-2026-35837, was corrected in Focus for iOS 151.3.1 and Klar for iOS 151.3.1. EPSS is very low (0.02%, 5th percentile) and there is no public exploit identified at time of analysis, but the CVSS of 7.5 reflects the high confidentiality impact achievable with no privileges.
Technical ContextAI
Focus and Klar are Mozilla's privacy-focused mobile browsers for iOS, both of which - per Apple platform requirements - render web content using Apple's WebKit engine rather than Gecko. The vulnerability is a Universal XSS (UXSS) in the navigation pipeline, meaning the same-origin policy that normally isolates one site from another is broken during a navigation transition, allowing script delivered from one origin to execute in the context of another. This maps to CWE-79 (Improper Neutralization of Input During Web Page Generation) at the browser-engine level, where origin tracking and document/context binding during navigation is the root-cause class rather than a typical reflected/stored XSS in a web app.
Affected ProductsAI
Mozilla Focus for iOS prior to 151.3.1 and Mozilla Klar for iOS prior to 151.3.1 are affected; Klar is the German-market rebrand of Focus and shares the same codebase. No CPE strings were provided in the input data, so exact product identifiers cannot be cited; affected versions are taken from Mozilla's advisory MFSA 2026-55 at https://www.mozilla.org/security/advisories/mfsa2026-55/ and the originating bug at https://bugzilla.mozilla.org/show_bug.cgi?id=1975667. Desktop Firefox, Firefox for Android, and Firefox iOS (the full browser) are not listed as affected in the available data.
RemediationAI
Vendor-released patch: Focus for iOS 151.3.1 and Klar for iOS 151.3.1 - upgrade both apps via the Apple App Store immediately, and for MDM-managed iOS fleets push the updated versions through the managed app catalog. Mozilla's advisory at https://www.mozilla.org/security/advisories/mfsa2026-55/ and bug https://bugzilla.mozilla.org/show_bug.cgi?id=1975667 are the authoritative references. Until the update is applied, compensating controls are limited because the flaw is in the in-app web engine: advise users not to follow untrusted links inside Focus/Klar, switch temporarily to Safari or full Firefox iOS (which use the same WebKit engine but a different navigation wrapper and are not listed as affected), or restrict the app via MDM web content filters to a known-good allowlist of domains; the trade-off of the allowlist approach is that it defeats Focus/Klar's general-purpose browsing use case and is only practical for kiosk-style deployments.
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-35837
GHSA-2j9g-whc6-7j55