{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-3029", "assignerOrgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe", "state": "PUBLISHED", "assignerShortName": "mozilla", "dateReserved": "2025-03-31T09:35:20.446Z", "datePublished": "2025-04-01T12:28:59.386Z", "dateUpdated": "2026-04-13T14:26:00.288Z"}, "containers": {"cna": {"affected": [{"product": "Firefox", "vendor": "Mozilla", "versions": [{"status": "unaffected", "version": "128.9", "lessThanOrEqual": "128.*", "versionType": "rpm"}, {"status": "unaffected", "version": "137", "lessThanOrEqual": "*", "versionType": "rpm"}]}, {"product": "Thunderbird", "vendor": "Mozilla", "versions": [{"status": "unaffected", "version": "128.9", "lessThanOrEqual": "128.*", "versionType": "rpm"}, {"status": "unaffected", "version": "137", "lessThanOrEqual": "*", "versionType": "rpm"}]}], "descriptions": [{"lang": "en", "value": "A crafted URL containing specific Unicode characters could have hidden the true origin of the page, resulting in a potential spoofing attack. This vulnerability was fixed in Firefox 137, Firefox ESR 128.9, Thunderbird 137, and Thunderbird 128.9.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "A crafted URL containing specific Unicode characters could have hidden the true origin of the page, resulting in a potential spoofing attack. This vulnerability was fixed in Firefox 137, Firefox ESR 128.9, Thunderbird 137, and Thunderbird 128.9."}]}], "title": "URL Bar Spoofing via non-BMP Unicode characters", "references": [{"url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1952213"}, {"url": "https://www.mozilla.org/security/advisories/mfsa2025-20/"}, {"url": "https://www.mozilla.org/security/advisories/mfsa2025-22/"}, {"url": "https://www.mozilla.org/security/advisories/mfsa2025-23/"}, {"url": "https://www.mozilla.org/security/advisories/mfsa2025-24/"}], "credits": [{"lang": "en", "value": "Renwa Hiwa"}], "providerMetadata": {"orgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe", "shortName": "mozilla", "dateUpdated": "2026-04-13T14:26:00.288Z"}}, "adp": [{"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-290", "lang": "en", "description": "CWE-290 Authentication Bypass by Spoofing"}]}], "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.3, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2025-04-01T18:38:36.495744Z", "id": "CVE-2025-3029", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-04-01T18:39:09.507Z"}}, {"title": "CVE Program Container", "references": [{"url": "https://lists.debian.org/debian-lts-announce/2025/04/msg00005.html"}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2025-11-03T19:46:49.584Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://lists.debian.org/debian-lts-announce/2025/04/msg00005.html"}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2025-11-03T19:46:49.584Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.3, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2025-3029", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-04-01T18:38:36.495744Z"}}}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-290", "description": "CWE-290 Authentication Bypass by Spoofing"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-04-01T18:39:04.051Z"}}], "cna": {"title": "URL Bar Spoofing via non-BMP Unicode characters", "credits": [{"lang": "en", "value": "Renwa Hiwa"}], "affected": [{"vendor": "Mozilla", "product": "Firefox", "versions": [{"status": "unaffected", "version": "128.9", "versionType": "rpm", "lessThanOrEqual": "128.*"}, {"status": "unaffected", "version": "137", "versionType": "rpm", "lessThanOrEqual": "*"}]}, {"vendor": "Mozilla", "product": "Thunderbird", "versions": [{"status": "unaffected", "version": "128.9", "versionType": "rpm", "lessThanOrEqual": "128.*"}, {"status": "unaffected", "version": "137", "versionType": "rpm", "lessThanOrEqual": "*"}]}], "references": [{"url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1952213"}, {"url": "https://www.mozilla.org/security/advisories/mfsa2025-20/"}, {"url": "https://www.mozilla.org/security/advisories/mfsa2025-22/"}, {"url": "https://www.mozilla.org/security/advisories/mfsa2025-23/"}, {"url": "https://www.mozilla.org/security/advisories/mfsa2025-24/"}], "descriptions": [{"lang": "en", "value": "A crafted URL containing specific Unicode characters could have hidden the true origin of the page, resulting in a potential spoofing attack. This vulnerability was fixed in Firefox 137, Firefox ESR 128.9, Thunderbird 137, and Thunderbird 128.9.", "supportingMedia": [{"type": "text/html", "value": "A crafted URL containing specific Unicode characters could have hidden the true origin of the page, resulting in a potential spoofing attack. This vulnerability was fixed in Firefox 137, Firefox ESR 128.9, Thunderbird 137, and Thunderbird 128.9.", "base64": false}]}], "providerMetadata": {"orgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe", "shortName": "mozilla", "dateUpdated": "2026-04-13T14:26:00.288Z"}}}, "cveMetadata": {"cveId": "CVE-2025-3029", "state": "PUBLISHED", "dateUpdated": "2026-04-13T14:26:00.288Z", "dateReserved": "2025-03-31T09:35:20.446Z", "assignerOrgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe", "datePublished": "2025-04-01T12:28:59.386Z", "assignerShortName": "mozilla"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:mozilla:firefox:*:*:*:*:esr:*:*:*", "matchCriteriaId": "3E57ACC4-3D91-4DBF-8FE8-D17753EA3B82", "versionEndExcluding": "128.9.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:mozilla:firefox:*:*:*:*:-:*:*:*", "matchCriteriaId": "A6CBADD8-E865-41B5-BDDD-1572F97D5176", "versionEndExcluding": "137.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:mozilla:thunderbird:*:*:*:*:*:*:*:*", "matchCriteriaId": "547865A8-58DA-4716-A4E0-43597E1C8091", "versionEndExcluding": "128.9.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:mozilla:thunderbird:*:*:*:*:*:*:*:*", "matchCriteriaId": "BFA1B56A-1088-467B-AF0F-897EF15687D1", "versionEndExcluding": "137.0", "versionStartIncluding": "129.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "A crafted URL containing specific Unicode characters could have hidden the true origin of the page, resulting in a potential spoofing attack. This vulnerability was fixed in Firefox 137, Firefox ESR 128.9, Thunderbird 137, and Thunderbird 128.9."}, {"lang": "es", "value": "Una URL manipulada que contiene caracteres Unicode espec\u00edficos podr\u00eda haber ocultado el verdadero origen de la p\u00e1gina, lo que podr\u00eda dar lugar a un ataque de suplantaci\u00f3n de identidad. Esta vulnerabilidad afecta a Firefox < 137, Firefox ESR < 128.9, Thunderbird < 137 y Thunderbird < 128.9."}], "id": "CVE-2025-3029", "lastModified": "2026-04-13T15:16:56.460", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 7.3, "baseSeverity": "HIGH", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.4, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2025-04-01T13:15:41.290", "references": [{"source": "security@mozilla.org", "tags": ["Issue Tracking", "Permissions Required"], "url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1952213"}, {"source": "security@mozilla.org", "tags": ["Vendor Advisory"], "url": "https://www.mozilla.org/security/advisories/mfsa2025-20/"}, {"source": "security@mozilla.org", "tags": ["Vendor Advisory"], "url": "https://www.mozilla.org/security/advisories/mfsa2025-22/"}, {"source": "security@mozilla.org", "tags": ["Vendor Advisory"], "url": "https://www.mozilla.org/security/advisories/mfsa2025-23/"}, {"source": "security@mozilla.org", "tags": ["Vendor Advisory"], "url": "https://www.mozilla.org/security/advisories/mfsa2025-24/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://lists.debian.org/debian-lts-announce/2025/04/msg00005.html"}], "sourceIdentifier": "security@mozilla.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-290"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}

{"affected_release": [{"advisory": "RHSA-2025:7491", "cpe": "cpe:/o:redhat:enterprise_linux:10.0", "package": "firefox-0:128.9.0-3.el10_0", "product_name": "Red Hat Enterprise Linux 10", "release_date": "2025-05-13T00:00:00Z"}, {"advisory": "RHSA-2025:7493", "cpe": "cpe:/o:redhat:enterprise_linux:10.0", "package": "thunderbird-0:128.9.0-2.el10_0", "product_name": "Red Hat Enterprise Linux 10", "release_date": "2025-05-13T00:00:00Z"}, {"advisory": "RHSA-2025:3628", "cpe": "cpe:/o:redhat:rhel_els:7", "package": "firefox-0:128.9.0-2.el7_9", "product_name": "Red Hat Enterprise Linux 7 Extended Lifecycle Support", "release_date": "2025-04-07T00:00:00Z"}, {"advisory": "RHSA-2025:3582", "cpe": "cpe:/a:redhat:enterprise_linux:8", "package": "firefox-0:128.9.0-2.el8_10", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2025-04-03T00:00:00Z"}, {"advisory": "RHSA-2025:4170", "cpe": "cpe:/a:redhat:enterprise_linux:8", "package": "thunderbird-0:128.9.0-2.el8_10", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2025-04-24T00:00:00Z"}, {"advisory": "RHSA-2025:3623", "cpe": "cpe:/a:redhat:rhel_aus:8.2", "package": "firefox-0:128.9.0-2.el8_2", "product_name": "Red Hat Enterprise Linux 8.2 Advanced Update Support", "release_date": "2025-04-07T00:00:00Z"}, {"advisory": "RHSA-2025:4032", "cpe": "cpe:/a:redhat:rhel_aus:8.2", "package": "thunderbird-0:128.9.0-2.el8_2", "product_name": "Red Hat Enterprise Linux 8.2 Advanced Update Support", "release_date": "2025-04-23T00:00:00Z"}, {"advisory": "RHSA-2025:3581", "cpe": "cpe:/a:redhat:rhel_aus:8.4", "package": "firefox-0:128.9.0-2.el8_4", "product_name": "Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support", "release_date": "2025-04-03T00:00:00Z"}, {"advisory": "RHSA-2025:4031", "cpe": "cpe:/a:redhat:rhel_aus:8.4", "package": "thunderbird-0:128.9.0-2.el8_4", "product_name": "Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support", "release_date": "2025-04-23T00:00:00Z"}, {"advisory": "RHSA-2025:3581", "cpe": "cpe:/a:redhat:rhel_tus:8.4", "package": "firefox-0:128.9.0-2.el8_4", "product_name": "Red Hat Enterprise Linux 8.4 Telecommunications Update Service", "release_date": "2025-04-03T00:00:00Z"}, {"advisory": "RHSA-2025:4031", "cpe": "cpe:/a:redhat:rhel_tus:8.4", "package": "thunderbird-0:128.9.0-2.el8_4", "product_name": "Red Hat Enterprise Linux 8.4 Telecommunications Update Service", "release_date": "2025-04-23T00:00:00Z"}, {"advisory": "RHSA-2025:3581", "cpe": "cpe:/a:redhat:rhel_e4s:8.4", "package": "firefox-0:128.9.0-2.el8_4", "product_name": "Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions", "release_date": "2025-04-03T00:00:00Z"}, {"advisory": "RHSA-2025:4031", "cpe": "cpe:/a:redhat:rhel_e4s:8.4", "package": "thunderbird-0:128.9.0-2.el8_4", "product_name": "Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions", "release_date": "2025-04-23T00:00:00Z"}, {"advisory": "RHSA-2025:3621", "cpe": "cpe:/a:redhat:rhel_aus:8.6", "package": "firefox-0:128.9.0-2.el8_6", "product_name": "Red Hat Enterprise Linux 8.6 Advanced Mission Critical Update Support", "release_date": "2025-04-07T00:00:00Z"}, {"advisory": "RHSA-2025:4030", "cpe": "cpe:/a:redhat:rhel_aus:8.6", "package": "thunderbird-0:128.9.0-2.el8_6", "product_name": "Red Hat Enterprise Linux 8.6 Advanced Mission Critical Update Support", "release_date": "2025-04-23T00:00:00Z"}, {"advisory": "RHSA-2025:3621", "cpe": "cpe:/a:redhat:rhel_tus:8.6", "package": "firefox-0:128.9.0-2.el8_6", "product_name": "Red Hat Enterprise Linux 8.6 Telecommunications Update Service", "release_date": "2025-04-07T00:00:00Z"}, {"advisory": "RHSA-2025:4030", "cpe": "cpe:/a:redhat:rhel_tus:8.6", "package": "thunderbird-0:128.9.0-2.el8_6", "product_name": "Red Hat Enterprise Linux 8.6 Telecommunications Update Service", "release_date": "2025-04-23T00:00:00Z"}, {"advisory": "RHSA-2025:3621", "cpe": "cpe:/a:redhat:rhel_e4s:8.6", "package": "firefox-0:128.9.0-2.el8_6", "product_name": "Red Hat Enterprise Linux 8.6 Update Services for SAP Solutions", "release_date": "2025-04-07T00:00:00Z"}, {"advisory": "RHSA-2025:4030", "cpe": "cpe:/a:redhat:rhel_e4s:8.6", "package": "thunderbird-0:128.9.0-2.el8_6", "product_name": "Red Hat Enterprise Linux 8.6 Update Services for SAP Solutions", "release_date": "2025-04-23T00:00:00Z"}, {"advisory": "RHSA-2025:3620", "cpe": "cpe:/a:redhat:rhel_eus:8.8", "package": "firefox-0:128.9.0-2.el8_8", "product_name": "Red Hat Enterprise Linux 8.8 Extended Update Support", "release_date": "2025-04-07T00:00:00Z"}, {"advisory": "RHSA-2025:4029", "cpe": "cpe:/a:redhat:rhel_eus:8.8", "package": "thunderbird-0:128.9.0-2.el8_8", "product_name": "Red Hat Enterprise Linux 8.8 Extended Update Support", "release_date": "2025-04-23T00:00:00Z"}, {"advisory": "RHSA-2025:3556", "cpe": "cpe:/a:redhat:enterprise_linux:9", "package": "firefox-0:128.9.0-2.el9_5", "product_name": "Red Hat Enterprise Linux 9", "release_date": "2025-04-03T00:00:00Z"}, {"advisory": "RHSA-2025:4169", "cpe": "cpe:/a:redhat:enterprise_linux:9", "package": "thunderbird-0:128.9.0-2.el9_5", "product_name": "Red Hat Enterprise Linux 9", "release_date": "2025-04-24T00:00:00Z"}, {"advisory": "RHSA-2025:3587", "cpe": "cpe:/a:redhat:rhel_e4s:9.0", "package": "firefox-0:128.9.0-2.el9_0", "product_name": "Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions", "release_date": "2025-04-03T00:00:00Z"}, {"advisory": "RHSA-2025:4028", "cpe": "cpe:/a:redhat:rhel_e4s:9.0", "package": "thunderbird-0:128.9.0-2.el9_0", "product_name": "Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions", "release_date": "2025-04-23T00:00:00Z"}, {"advisory": "RHSA-2025:3589", "cpe": "cpe:/a:redhat:rhel_eus:9.2", "package": "firefox-0:128.9.0-2.el9_2", "product_name": "Red Hat Enterprise Linux 9.2 Extended Update Support", "release_date": "2025-04-03T00:00:00Z"}, {"advisory": "RHSA-2025:4027", "cpe": "cpe:/a:redhat:rhel_eus:9.2", "package": "thunderbird-0:128.9.0-2.el9_2", "product_name": "Red Hat Enterprise Linux 9.2 Extended Update Support", "release_date": "2025-04-23T00:00:00Z"}, {"advisory": "RHSA-2025:3590", "cpe": "cpe:/a:redhat:rhel_eus:9.4", "package": "firefox-0:128.9.0-2.el9_4", "product_name": "Red Hat Enterprise Linux 9.4 Extended Update Support", "release_date": "2025-04-03T00:00:00Z"}, {"advisory": "RHSA-2025:4026", "cpe": "cpe:/a:redhat:rhel_eus:9.4", "package": "thunderbird-0:128.9.0-2.el9_4", "product_name": "Red Hat Enterprise Linux 9.4 Extended Update Support", "release_date": "2025-04-23T00:00:00Z"}], "bugzilla": {"description": "firefox: thunderbird: URL Bar Spoofing via non-BMP Unicode characters", "id": "2356556", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2356556"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.4", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N", "status": "verified"}, "cwe": "CWE-346", "details": ["A crafted URL containing specific Unicode characters could have hidden the true origin of the page, resulting in a potential spoofing attack. This vulnerability affects Firefox < 137, Firefox ESR < 128.9, Thunderbird < 137, and Thunderbird < 128.9.", "A flaw was found in Firefox. The Mozilla Foundation's Security Advisory describes the following issue: A crafted URL containing specific Unicode characters could have hidden the true origin of the page, resulting in a potential spoofing attack."], "name": "CVE-2025-3029", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Affected", "package_name": "firefox-flatpak-container", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Affected", "package_name": "thunderbird-flatpak-container", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Out of support scope", "package_name": "firefox", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Out of support scope", "package_name": "thunderbird", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Out of support scope", "package_name": "thunderbird", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Affected", "package_name": "firefox-flatpak-container", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Affected", "package_name": "thunderbird-flatpak-container", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2025-04-01T12:28:59Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2025-3029\nhttps://nvd.nist.gov/vuln/detail/CVE-2025-3029\nhttps://bugzilla.mozilla.org/show_bug.cgi?id=1952213\nhttps://www.mozilla.org/security/advisories/mfsa2025-20/\nhttps://www.mozilla.org/security/advisories/mfsa2025-22/\nhttps://www.mozilla.org/security/advisories/mfsa2025-23/\nhttps://www.mozilla.org/security/advisories/mfsa2025-24/"], "statement": "Red Hat Product Security rates the severity of this flaw as determined by the Mozilla Foundation Security Advisory.", "threat_severity": "Moderate"}

{"analysis": {"en": {"generated_at": "2026-04-22T01:45:17.943092+00:00", "value": {"mitigation_remediation": ["Upgrade Mozilla Firefox to version\u00a0137 or newer, or to the ESR\u00a0128.9 release or newer.", "Upgrade Mozilla Thunderbird to version\u00a0137 or newer, or to the ESR\u00a0128.9 release or newer.", "As a temporary measure, restrict or block URLs containing non\u2011BMP Unicode characters and enable browser safe\u2011navigation alerts to mitigate spoofing risk."], "summary": {"action": "Patch", "impact": "URL bar spoofing via hidden Unicode characters"}, "threat_synthesis": {"affected_systems": "Mozilla Firefox and Mozilla Thunderbird are the documented affected products. Versions before Firefox\u00a0137 and before Firefox\u00a0ESR\u00a0128.9, as well as versions before Thunderbird\u00a0137 and Thunderbird\u00a0128.9, are vulnerable. The CPE list also references Red\u2011Hat Enterprise Linux components, but the original description does not state that they are impacted; their inclusion appears to reflect support channels for the affected Firefox release streams.", "description_and_impact": "A crafted URL that includes specific non\u2011BMP Unicode characters can conceal the true origin of a web page, causing the browser to display a misleading address bar entry. This flaw permits an attacker to spoof the address shown to a user, potentially directing them to a malicious site. The vulnerability is classified as CWE\u2011290 and CWE\u2011346, indicating a failure in authentication\u2011based control and a token validation weakness, respectively, and leads only to deceptive navigation rather than direct code execution or system compromise.", "risk_and_exploitability": "With a CVSS score of 7.3 the vulnerability is high in severity, but the EPSS score of less than\u202f1\u202f% suggests a low likelihood of exploitation. It is not listed in the CISA KEV catalog. An attacker would typically craft a link containing the hidden characters\u2014such as in an email or a web page\u2014and rely on user interaction by clicking the spoofed address. The attack requires no additional credentials and exploits only the rendering of Unicode characters in URLs."}}}}, "created": "2026-04-22T02:00:05.032820+00:00", "updated": "2026-04-22T02:00:05.032853+00:00", "vendors": []}