{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-2032", "assignerOrgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe", "state": "PUBLISHED", "assignerShortName": "mozilla", "dateReserved": "2026-02-06T00:51:21.376Z", "datePublished": "2026-02-16T14:13:23.899Z", "dateUpdated": "2026-04-14T15:09:28.604Z"}, "containers": {"cna": {"affected": [{"product": "Firefox for iOS", "vendor": "Mozilla", "versions": [{"status": "unaffected", "version": "147.2.1", "lessThanOrEqual": "*", "versionType": "rpm"}]}], "descriptions": [{"lang": "en", "value": "Malicious scripts that interrupt new tab page loading could cause desynchronization between the address bar and page content, allowing the attacker to spoof arbitrary HTML under a trusted domain. This vulnerability was fixed in Firefox for iOS 147.2.1.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "Malicious scripts that interrupt new tab page loading could cause desynchronization between the address bar and page content, allowing the attacker to spoof arbitrary HTML under a trusted domain. This vulnerability was fixed in Firefox for iOS 147.2.1."}]}], "title": "Interrupted page loads in new tabs could allow website spoofing under trusted domains in Firefox iOS", "references": [{"url": "https://bugzilla.mozilla.org/show_bug.cgi?id=2012152"}, {"url": "https://www.mozilla.org/security/advisories/mfsa2026-09/"}], "credits": [{"lang": "en", "value": "Qadhafy Muhammad Tera"}], "providerMetadata": {"orgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe", "shortName": "mozilla", "dateUpdated": "2026-04-13T13:54:43.119Z"}}, "adp": [{"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-451", "lang": "en", "description": "CWE-451 User Interface (UI) Misrepresentation of Critical Information"}]}], "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-02-17T14:49:33.243063Z", "id": "CVE-2026-2032", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-14T15:09:28.604Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-2032", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-02-17T14:49:33.243063Z"}}}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-451", "description": "CWE-451 User Interface (UI) Misrepresentation of Critical Information"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-17T14:50:51.074Z"}}], "cna": {"title": "Interrupted page loads in new tabs could allow website spoofing under trusted domains in Firefox iOS", "credits": [{"lang": "en", "value": "Qadhafy Muhammad Tera"}], "affected": [{"vendor": "Mozilla", "product": "Firefox for iOS", "versions": [{"status": "unaffected", "version": "147.2.1", "versionType": "rpm", "lessThanOrEqual": "*"}]}], "references": [{"url": "https://bugzilla.mozilla.org/show_bug.cgi?id=2012152"}, {"url": "https://www.mozilla.org/security/advisories/mfsa2026-09/"}], "descriptions": [{"lang": "en", "value": "Malicious scripts that interrupt new tab page loading could cause desynchronization between the address bar and page content, allowing the attacker to spoof arbitrary HTML under a trusted domain. This vulnerability was fixed in Firefox for iOS 147.2.1.", "supportingMedia": [{"type": "text/html", "value": "Malicious scripts that interrupt new tab page loading could cause desynchronization between the address bar and page content, allowing the attacker to spoof arbitrary HTML under a trusted domain. This vulnerability was fixed in Firefox for iOS 147.2.1.", "base64": false}]}], "providerMetadata": {"orgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe", "shortName": "mozilla", "dateUpdated": "2026-04-13T13:54:43.119Z"}}}, "cveMetadata": {"cveId": "CVE-2026-2032", "state": "PUBLISHED", "dateUpdated": "2026-04-14T15:09:28.604Z", "dateReserved": "2026-02-06T00:51:21.376Z", "assignerOrgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe", "datePublished": "2026-02-16T14:13:23.899Z", "assignerShortName": "mozilla"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:mozilla:firefox:*:*:*:*:*:iphone_os:*:*", "matchCriteriaId": "68B7231D-8AED-4E0F-96C6-28773D3853B7", "versionEndExcluding": "147.2.1", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Malicious scripts that interrupt new tab page loading could cause desynchronization between the address bar and page content, allowing the attacker to spoof arbitrary HTML under a trusted domain. This vulnerability was fixed in Firefox for iOS 147.2.1."}, {"lang": "es", "value": "Scripts maliciosos que interrumpen la carga de la p\u00e1gina de nueva pesta\u00f1a podr\u00edan causar desincronizaci\u00f3n entre la barra de direcciones y el contenido de la p\u00e1gina, permitiendo al atacante suplantar HTML arbitrario bajo un dominio de confianza. Esta vulnerabilidad afecta a Firefox para iOS < 147.2.1."}], "id": "CVE-2026-2032", "lastModified": "2026-04-13T15:17:19.800", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-02-16T15:18:34.620", "references": [{"source": "security@mozilla.org", "tags": ["Issue Tracking", "Permissions Required"], "url": "https://bugzilla.mozilla.org/show_bug.cgi?id=2012152"}, {"source": "security@mozilla.org", "tags": ["Vendor Advisory"], "url": "https://www.mozilla.org/security/advisories/mfsa2026-09/"}], "sourceIdentifier": "security@mozilla.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-451"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,147.2.1)"}}], "product": "firefox_for_ios", "vendor": "mozilla"}], "analysis": {"en": {"generated_at": "2026-04-15T15:13:24.686680+00:00", "value": {"mitigation_remediation": ["Upgrade to Firefox for iOS 147.2.1 or later, which removes the script interruption bug", "Disable or restrict third\u2011party JavaScript execution in Firefox\u2019s privacy settings to reduce the chance of malicious scripts causing the desynchronization", "Monitor browser behavior for unexpected new\u2011tab page changes and report any suspicious activity to Mozilla"], "summary": {"action": "Update Browser", "impact": "Spoofing of content under trusted domains via new\u2011tab page desynchronization"}, "threat_synthesis": {"affected_systems": "Mozilla\u2019s Firefox for iOS is vulnerable. The issue was addressed in Firefox for iOS version 147.2.1 and subsequent releases. Users operating older versions of Firefox on iOS devices must upgrade to eliminate the risk.", "description_and_impact": "Malicious scripts that interrupt the loading of a new tab can desynchronize the browser\u2019s address bar and the displayed page, allowing an attacker to inject arbitrary HTML that appears to come from a trusted site. The vulnerability is a client\u2013side scripting flaw that results in deceptive content presentation without the user\u2019s knowledge. It can be exploited by any site that hosts such scripts and does not trigger within a trusted domain context. This flaw permits attackers to mislead users into believing they are on a legitimate site while actually serving malicious content.", "risk_and_exploitability": "The vulnerability carries a CVSS score of 4.3, indicating moderate risk. The EPSS score of less than 1% implies that the likelihood of exploitation is very low at present. The flaw is not listed in the CISA KEV catalog, which further reduces the perceived threat. Exploitation appears to require the user to load a malicious script that interferes with new\u2011tab navigation; remote exploitation over the network is not directly indicated in the description, so the attack vector is likely user\u2011initiated browsing. The official fix is a software update, which mitigates the flaw by preventing the script interruption entirely."}}}}, "created": "2026-02-17T08:49:36.137132+00:00", "updated": "2026-04-15T17:30:10.459576+00:00", "vendors": ["mozilla", "mozilla$PRODUCT$firefox_for_ios"]}