CVE-2026-2919 | THREATINT

Description

Malicious scripts could display attacker-controlled web content under spoofed domains in Focus for iOS by stalling a _self navigation to an invalid port and triggering an iframe redirect, causing the UI to display a trusted domain without user interaction. This vulnerability affects Focus for iOS < 148.2.

PUBLISHED Reserved 2026-02-20 | Published 2026-03-09 | Updated 2026-03-09 | Assigner mozilla

Product status

Any version before 148.2

affected

Credits

Renwa Hiwa

References

bugzilla.mozilla.org/show_bug.cgi?id=1975842

www.mozilla.org/security/advisories/mfsa2026-18/

cve.org (CVE-2026-2919)

nvd.nist.gov (CVE-2026-2919)

Download JSON