← back
CVE-2026-8706

Sensitive user data could be leaked to other applications through Reader mode

CVSS 6.5 MEDIUMEPSS 0.2%CWE-200CWE-306
Firefox for iOS hosted Reader mode on an unauthenticated local web server, allowing another application on the same device to request arbitrary URLs and receive the response rendered with the signed-in user's cookies. This vulnerability was fixed in Firefox for iOS 151.0.
CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Affected products
Mozilla · Firefox for iOS

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →
References
https://bugzilla.mozilla.org/show_bug.cgi?id=2036618https://www.mozilla.org/security/advisories/mfsa2026-49/