Description
UXSS in Focus for iOS / Klar Webkit navigation. This vulnerability was fixed in Focus for iOS 151.3.1 and Klar for iOS 151.3.1.
Published: 2026-06-09
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The flaw is a client‑side script injection in the WebKit navigation of Focus for iOS and Klar for iOS. When the apps load a web page, the attacker can supply a script that executes within the app’s context, enabling arbitrary client‑side code execution. This is a classic untrusted cross‑site scripting (CWE‑79) vulnerability.

Affected Systems

Mozilla’s Focus for iOS and Klar for iOS are affected. Any installation before version 151.3.1 contains the flaw, which was fixed in the 151.3.1 release for both products.

Risk and Exploitability

The CVSS score of 7.5 indicates a high severity, while the EPSS score of <1% suggests a low probability of exploitation. The vulnerability is not listed in CISA KEV. The likely attack vector is a user opening a malicious web page through the app’s WebKit component. Once the malicious script runs, it can manipulate the app’s content or perform actions within the app’s permitted scope. No public exploits are currently documented.

Generated by OpenCVE AI on June 10, 2026 at 18:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the vendor‑supplied update to Focus for iOS 151.3.1 or later and Klar for iOS 151.3.1 or later.
  • If an update cannot be applied immediately, restrict the WebKit component to load only trusted URLs or disable external navigation.
  • Disable or remove the WebView component when it is not required for core app functionality.

Generated by OpenCVE AI on June 10, 2026 at 18:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 10 Jun 2026 16:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-79
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 10 Jun 2026 11:30:00 +0000

Type Values Removed Values Added
First Time appeared Mozilla
Mozilla focus For Ios
Mozilla klar For Ios
Vendors & Products Mozilla
Mozilla focus For Ios
Mozilla klar For Ios

Tue, 09 Jun 2026 21:15:00 +0000

Type Values Removed Values Added
Description UXSS in Focus for iOS / Klar Webkit navigation. This vulnerability was fixed in Focus for iOS 151.3.1 and Klar for iOS 151.3.1.
Title UXSS in Focus for iOS / Klar Webkit navigation
References

Subscriptions

Mozilla Focus For Ios Klar For Ios
cve-icon MITRE

Status: PUBLISHED

Assigner: mozilla

Published:

Updated: 2026-06-10T15:47:54.890Z

Reserved: 2026-06-09T13:59:49.244Z

Link: CVE-2026-11799

cve-icon Vulnrichment

Updated: 2026-06-10T15:45:40.639Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-06-09T21:17:03.410

Modified: 2026-06-10T20:14:36.697

Link: CVE-2026-11799

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-10T19:00:07Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')