CVE-2026-2032User Interface (UI) Misrepresentation of Critical Information in Mozilla Firefox

CWE-451User Interface (UI) Misrepresentation of Critical InformationCWE-290Authentication Bypass by Spoofing7 documents7 sources
Severity
4.3MEDIUMNVD
EPSS
0.0%
top 90.50%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
Mozilla Firefox
Timeline
PublishedFeb 16

Description

Malicious scripts that interrupt new tab page loading could cause desynchronization between the address bar and page content, allowing the attacker to spoof arbitrary HTML under a trusted domain. This vulnerability was fixed in Firefox for iOS 147.2.1.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:NExploitability: 2.8 | Impact: 1.4

Affected Packages1 packages

NVDmozilla/firefox< 147.2.1

🔴Vulnerability Details

3
CVEList
Interrupted page loads in new tabs could allow website spoofing under trusted domains in Firefox iOS2026-02-16
GHSA
GHSA-jwv5-943c-f5wh: Malicious scripts that interrupt new tab page loading could cause desynchronization between the address bar and page content, allowing the attacker to2026-02-16
OSV
CVE-2026-2032: Malicious scripts that interrupt new tab page loading could cause desynchronization between the address bar and page content, allowing the attacker to2026-02-16

📋Vendor Advisories

2
Debian
CVE-2026-2032: firefox - Malicious scripts that interrupt new tab page loading could cause desynchronizat...2026
Mozilla
Mozilla Foundation Security Advisory 2026-09: CVE-2026-2032

🕵️Threat Intelligence

1
Wiz
CVE-2026-2032 Impact, Exploitability, and Mitigation Steps | Wiz
CVE-2026-2032 — Mozilla Firefox vulnerability | cvebase