CVE-2026-2634User Interface (UI) Misrepresentation of Critical Information in Mozilla Firefox

CWE-451User Interface (UI) Misrepresentation of Critical Information7 documents7 sources
Severity
9.8CRITICALNVD
EPSS
0.1%
top 80.61%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
Mozilla Firefox
Timeline
PublishedFeb 24

Description

Malicious scripts could cause desynchronization between the address bar and web content before a response is received in Firefox iOS, allowing attacker-controlled pages to be presented under spoofed domains. This vulnerability was fixed in Firefox for iOS 147.4.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages1 packages

NVDmozilla/firefox< 147.4

🔴Vulnerability Details

3
OSV
CVE-2026-2634: Malicious scripts could cause desynchronization between the address bar and web content before a response is received in Firefox iOS, allowing attacke2026-02-24
CVEList
Spoofed web content presented under trusted domains using scripted navigation on Firefox iOS2026-02-24
GHSA
GHSA-gwgg-r543-4wvw: Malicious scripts could cause desynchronization between the address bar and web content before a response is received in Firefox iOS, allowing attacke2026-02-24

📋Vendor Advisories

2
Debian
CVE-2026-2634: firefox - Malicious scripts could cause desynchronization between the address bar and web ...2026
Mozilla
Mozilla Foundation Security Advisory 2026-12: CVE-2026-2634

🕵️Threat Intelligence

1
Wiz
CVE-2026-2634 Impact, Exploitability, and Mitigation Steps | Wiz
CVE-2026-2634 — Mozilla Firefox vulnerability | cvebase