HTML Tag Injection Issue in Firefox for iOS
CVE-2026-9309

Currently unrated

Key Information:

Vendor: Mozilla
Status: Firefox For iOS
Vendor: CVE Published:; 1 June 2026

What is CVE-2026-9309?

A vulnerability in the Firefox for iOS Reader View allowed improper escaping of HTML tags in JSON-LD metadata. This flaw could enable a malicious webpage to inject markup that alters the behavior of Reader View, leading to the unintended leakage of sensitive URL parameters. These leaked parameters could grant access to internal pages, posing risks of arbitrary JavaScript execution within an internal origin. The vulnerability has been addressed in version 151.2 of Firefox for iOS.

Affected Version(s)

Firefox for iOS 151.2

References

https://bugzilla.mozilla.org/show_bug.cgi?id=2036573

https://www.mozilla.org/security/advisories/mfsa2026-53/

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 1, 2026
Vulnerability Reserved
May 22, 2026

Credit

Muneaki Nishimura

CVE-2026-9309 Data

JSON

Mozilla

What is CVE-2026-9309?

Affected Version(s)

References

Timeline

Credit