CVE-2026-9308

CVE-2026-9308: Arbitrary JavaScript execution in Reader View due to wrong HTML replacement order

Published June 1, 2026
Last update June 1, 2026
View on NVD All CVEs

CVSS base score

What the vulnerability does

Description

Firefox for iOS Reader View replaced page content in its HTML template before replacing other internal placeholders. A malicious page could include a placeholder string that was later substituted with JSON-LD data, potentially resulting in arbitrary JavaScript execution. This vulnerability was fixed in Firefox for iOS 151.2.

Key dates

Disclosure timeline

June 1, 2026 CVE published
June 1, 2026 Record updated