Main Vulnerability Database Vulnerabilities #VU133137

Code Injection in Firefox for iOS - CVE-2026-9309

Published: June 1, 2026

Vulnerability identifier: #VU133137

CSH Severity: High

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber

CVE-ID: CVE-2026-9309

CWE-ID: CWE-94

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: Mozilla

Affected software:
Firefox for iOS

Detailed vulnerability description

The vulnerability allows a remote attacker to execute arbitrary JavaScript in an internal origin.

The vulnerability exists due to improper neutralization of special elements in Reader View JSON-LD metadata handling when rendering a malicious page in Reader View. A remote attacker can inject crafted markup through JSON-LD metadata to execute arbitrary JavaScript in an internal origin.

The injected markup can change Reader View behavior and leak sensitive URL parameters that are then used to access internal pages.

How to mitigate CVE-2026-9309

Install security update from vendor's website.

Code Injection in Firefox for iOS - CVE-2026-9309

Detailed vulnerability description

How to mitigate CVE-2026-9309

Sources

Please verify you're human