CVE-2026-9309

5.4 MEDIUM

Firefox for iOS Reader View did not properly escape HTML tags in JSON-LD metadata

Published: 2026-06-01 · Last updated: 2026-06-03

Severity and scoring

CVSS: 5.4 MEDIUM
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N
CWE: CWE-79

Affected products

Vendor	Product
mozilla	firefox

Description

Firefox for iOS Reader View did not properly escape HTML tags in JSON-LD metadata. A malicious page could inject markup that changed Reader View behavior and leaked sensitive URL parameters. These parameters could then be used to access internal pages, potentially resulting in arbitrary JavaScript execution in an internal origin. This vulnerability was fixed in Firefox for iOS 151.2.

Source: NVD

References

[NVD]https://nvd.nist.gov/vuln/detail/CVE-2026-9309
[Other]https://bugzilla.mozilla.org/show_bug.cgi?id=2036573
[Vendor advisory]https://www.mozilla.org/security/advisories/mfsa2026-53/

Related CVEs

Same vendor

CVE-2026-10702 — JIT miscompilation in the JavaScript Engine: JIT component (4.3 MEDIUM)
CVE-2026-10701 — Incorrect boundary conditions in the Graphics: Text component (7.5 HIGH)
CVE-2026-9308 — Firefox for iOS Reader View replaced page content in its HTML template before replacing other internal placeholders (5.4 MEDIUM)
CVE-2026-9078 — Firefox for iOS displayed specially crafted right-to-left (RTL) and internationalized domain names (IDNs) incorrectly in link preview UI ... (5.4 MEDIUM)
CVE-2026-8706 — Firefox for iOS hosted Reader mode on an unauthenticated local web server, allowing another application on the same device to request arb... (6.5 MEDIUM)

Same CWE

CVE-2026-2827 — The Open User Map PRO plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'oum_location_notification' parameter in ... (4.7 MEDIUM)
CVE-2026-42558 — Xibo is an open source digital signage platform with a web content management system and Windows display player software (7.6 HIGH)
CVE-2026-53742 — Simple Link Directory through 9.0.4 echoes embed shortcode attributes into HTML data attributes without escaping in the embedder template (5.4 MEDIUM)
CVE-2026-53741 — Simple Link Directory through 9.0.4 interpolates the sld_no_results_found option into a JavaScript string literal without encoding (5.4 MEDIUM)
CVE-2026-53740 — Yoast Duplicate Post through 4.6 inserts an unescaped post title and permalink into the Classic Editor scheduled republish notice (5.4 MEDIUM)