Local Web Server Vulnerability in Firefox for iOS by Mozilla
CVE-2026-8706

6.5MEDIUM

Key Information:

Vendor: Mozilla
Status: Firefox For iOS
Vendor: CVE Published:; 19 May 2026

What is CVE-2026-8706?

Firefox for iOS contains a vulnerability where the hosted Reader mode on an unauthenticated local web server allows other applications on the same device to request arbitrary URLs. This can expose sensitive data through responses rendered with the signed-in user's cookies, potentially leading to unauthorized access to user information. The issue was addressed in version 151.0, ensuring enhanced security against such attacks.

Affected Version(s)

Firefox for iOS 151.0

References

https://bugzilla.mozilla.org/show_bug.cgi?id=2036618

https://www.mozilla.org/security/advisories/mfsa2026-49/

CVSS V3.1

Score:

6.5

Severity:

MEDIUM

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Adjacent Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 19, 2026
Vulnerability Reserved
May 15, 2026

Credit

Muneaki Nishimura

CVE-2026-8706 Data

JSON