CVE-2025-3839 — Product UI does not Warn User of Unsafe Actions in Epiphany-browser

CWE-356 — Product UI does not Warn User of Unsafe Actions5 documents5 sources

Severity

8.0HIGHNVD

EPSS

0.0%

top 95.62%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Debian Epiphany-browser

Timeline

PublishedJan 23

Description

A flaw was found in Epiphany, a tool that allows websites to open external URL handler applications with minimal user interaction. This design can be misused to exploit vulnerabilities within those handlers, making them appear remotely exploitable. The browser fails to properly warn or gate this action, resulting in potential code execution on the client device via trusted UI behavior.

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:NExploitability: 1.6 | Impact: 5.8

Affected Packages1 packages

▶debiandebian/epiphany-browser< epiphany-browser 48.1-1 (forky)

🔴Vulnerability Details

GHSA

GHSA-h95f-v923-pcr4: A flaw was found in Epiphany, a tool that allows websites to open external URL handler applications with minimal user interaction↗2026-01-23

▶

OSV

CVE-2025-3839: A flaw was found in Epiphany, a tool that allows websites to open external URL handler applications with minimal user interaction↗2026-01-23

▶

📋Vendor Advisories

Debian

CVE-2025-3839: epiphany-browser - A flaw was found in Epiphany, a tool that allows websites to open external URL h...↗2025

▶

🕵️Threat Intelligence

Wiz

CVE-2025-3839 Impact, Exploitability, and Mitigation Steps | Wiz↗

▶