CVE-2026-53900

MEDIUM

Cookie injection was possible when opening a PDF link

Title source: cna
STIX 2.1

Description

Firefox for iOS preserved cookies set on the initial PDF request across cross-origin HTTP redirects in TemporaryDocument, allowing a malicious site to inject arbitrary cookies into requests to an unrelated target domain. This vulnerability was fixed in Firefox for iOS 152.0.

Scores

CVSS v3 4.3
EPSS 0.0010
EPSS Percentile 1.0%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N

CISA SSVC

Vulnrichment
Exploitation none
Automatable no
Technical Impact partial

Details

CWE
CWE-345 CWE-384
Status published
Products (2)
Mozilla/Firefox for iOS 152.0
mozilla/firefox_mobile < 152.0
Published Jun 16, 2026
Tracked Since Jun 16, 2026