{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-2919", "assignerOrgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe", "state": "PUBLISHED", "assignerShortName": "mozilla", "dateReserved": "2026-02-20T22:12:39.140Z", "datePublished": "2026-03-09T13:27:49.158Z", "dateUpdated": "2026-04-13T13:53:55.621Z"}, "containers": {"cna": {"affected": [{"product": "Focus for iOS", "vendor": "Mozilla", "versions": [{"status": "unaffected", "version": "148.2", "lessThanOrEqual": "*", "versionType": "rpm"}]}], "descriptions": [{"lang": "en", "value": "Malicious scripts could display attacker-controlled web content under spoofed domains in Focus for iOS by stalling a _self navigation to an invalid port and triggering an iframe redirect, causing the UI to display a trusted domain without user interaction. This vulnerability was fixed in Focus for iOS 148.2.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "Malicious scripts could display attacker-controlled web content under spoofed domains in Focus for iOS by stalling a _self navigation to an invalid port and triggering an iframe redirect, causing the UI to display a trusted domain without user interaction. This vulnerability was fixed in Focus for iOS 148.2."}]}], "title": "Attacker-controlled content shown under spoofed domains in Focus for iOS via stalled navigation and iframe redirect", "references": [{"url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1975842"}, {"url": "https://www.mozilla.org/security/advisories/mfsa2026-18/"}], "credits": [{"lang": "en", "value": "Renwa Hiwa"}], "providerMetadata": {"orgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe", "shortName": "mozilla", "dateUpdated": "2026-04-13T13:53:55.621Z"}}, "adp": [{"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-451", "lang": "en", "description": "CWE-451 User Interface (UI) Misrepresentation of Critical Information"}]}], "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-03-09T14:43:48.139860Z", "id": "CVE-2026-2919", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-09T14:43:51.521Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-2919", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-09T14:43:48.139860Z"}}}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-451", "description": "CWE-451 User Interface (UI) Misrepresentation of Critical Information"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-09T14:43:36.215Z"}}], "cna": {"title": "Attacker-controlled content shown under spoofed domains in Focus for iOS via stalled navigation and iframe redirect", "credits": [{"lang": "en", "value": "Renwa Hiwa"}], "affected": [{"vendor": "Mozilla", "product": "Focus for iOS", "versions": [{"status": "unaffected", "version": "148.2", "versionType": "rpm", "lessThanOrEqual": "*"}]}], "references": [{"url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1975842"}, {"url": "https://www.mozilla.org/security/advisories/mfsa2026-18/"}], "descriptions": [{"lang": "en", "value": "Malicious scripts could display attacker-controlled web content under spoofed domains in Focus for iOS by stalling a _self navigation to an invalid port and triggering an iframe redirect, causing the UI to display a trusted domain without user interaction. This vulnerability was fixed in Focus for iOS 148.2.", "supportingMedia": [{"type": "text/html", "value": "Malicious scripts could display attacker-controlled web content under spoofed domains in Focus for iOS by stalling a _self navigation to an invalid port and triggering an iframe redirect, causing the UI to display a trusted domain without user interaction. This vulnerability was fixed in Focus for iOS 148.2.", "base64": false}]}], "providerMetadata": {"orgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe", "shortName": "mozilla", "dateUpdated": "2026-04-13T13:53:55.621Z"}}}, "cveMetadata": {"cveId": "CVE-2026-2919", "state": "PUBLISHED", "dateUpdated": "2026-04-13T13:53:55.621Z", "dateReserved": "2026-02-20T22:12:39.140Z", "assignerOrgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe", "datePublished": "2026-03-09T13:27:49.158Z", "assignerShortName": "mozilla"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:mozilla:firefox_focus:*:*:*:*:*:iphone_os:*:*", "matchCriteriaId": "31A081FE-E7DD-43C5-BC23-8354580AE2B2", "versionEndExcluding": "148.2", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Malicious scripts could display attacker-controlled web content under spoofed domains in Focus for iOS by stalling a _self navigation to an invalid port and triggering an iframe redirect, causing the UI to display a trusted domain without user interaction. This vulnerability was fixed in Focus for iOS 148.2."}, {"lang": "es", "value": "Scripts maliciosos podr\u00edan mostrar contenido web controlado por el atacante bajo dominios falsificados en Focus para iOS al detener una navegaci\u00f3n _self a un puerto inv\u00e1lido y al activar una redirecci\u00f3n de iframe, haciendo que la interfaz de usuario (UI) muestre un dominio de confianza sin interacci\u00f3n del usuario. Esta vulnerabilidad afecta a Focus para iOS < 148.2."}], "id": "CVE-2026-2919", "lastModified": "2026-05-06T18:33:11.300", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-03-09T14:16:10.017", "references": [{"source": "security@mozilla.org", "tags": ["Permissions Required"], "url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1975842"}, {"source": "security@mozilla.org", "tags": ["Vendor Advisory"], "url": "https://www.mozilla.org/security/advisories/mfsa2026-18/"}], "sourceIdentifier": "security@mozilla.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-451"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,148.2)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "Focus for iOS", "source": "cna", "vendor": "Mozilla"}, "product": "focus_for_ios", "vendor": "mozilla"}], "analysis": {"en": {"generated_at": "2026-04-15T16:43:09.673116+00:00", "value": {"mitigation_remediation": ["Update Focus for iOS to version 148.2 or later to apply the vendor fix.", "Configure device or network controls to block or restrict iframe redirects, enforcing navigation only to trusted domains or whitelisted URLs.", "Monitor client logs or use device management tools for anomalous navigation attempts to invalid ports or unexpected iframe redirects, treating such events as potential phishing attempts."], "summary": {"action": "Apply Patch", "impact": "Spoofed domain display via UI deception"}, "threat_synthesis": {"affected_systems": "Mozilla Focus for iOS, all releases prior to v148.2. The vulnerability was fixed in Focus for iOS 148.2, so any version earlier than this is potentially affected.", "description_and_impact": "Malicious scripts can display attacker\u2011controlled web content under spoofed domains in Focus for iOS by stalling a self navigation to an invalid port and triggering an iframe redirect. The user interface is made to appear as a trusted domain without user interaction, enabling phishing or deceptive content delivery. Based on the description, it is inferred that this could lead to credential theft or social engineering attacks but does not provide remote code execution or direct data exfiltration.", "risk_and_exploitability": "The CVSS score is 4.3, indicating a low\u2011to\u2011moderate severity. The EPSS score is below 1%, implying a very low probability of exploitation under current threat conditions. The vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog. Based on the description, the attack vector most likely requires an attacker to supply malicious content that the app processes, which can be achieved through a crafted web page or a malicious link that the user opens in Focus for iOS."}}}}, "created": "2026-03-10T14:07:22.451230+00:00", "updated": "2026-04-15T17:00:07.029783+00:00", "vendors": ["mozilla", "mozilla$PRODUCT$focus_for_ios"]}