Firefox iOS 152.4: PDF Title Exploit Overwrites Files
CVE-2026-14906 Published on July 13, 2026

Malicious webpage titles could allow overwriting of bundled PDF resources when saving webpages as PDFs in Firefox for iOS
Pages with malicious titles could potentially allow saved PDF content to overwrite PDF files or bundled content within the Firefox for iOS application sandbox. This vulnerability was fixed in Firefox for iOS 152.4.

NVD

Vulnerability Analysis

CVE-2026-14906 is exploitable with network access, and does not require authorization privileges or user interaction. This vulnerability is considered to have a low attack complexity. The potential impact of an exploit of this vulnerability is considered to have a small impact on confidentiality, a small impact on integrity and availability.

Attack Vector:
NETWORK
Attack Complexity:
LOW
Privileges Required:
NONE
User Interaction:
NONE
Scope:
UNCHANGED
Confidentiality Impact:
LOW
Integrity Impact:
NONE
Availability Impact:
NONE

Weakness Type

What is an Unrestricted File Upload Vulnerability?

The software allows the attacker to upload or transfer files of dangerous types that can be automatically processed within the product's environment.

CVE-2026-14906 has been classified to as an Unrestricted File Upload vulnerability or weakness.


Products Associated with CVE-2026-14906

Want to know whenever a new CVE is published for Mozilla Firefox? stack.watch will email you.

 

Affected Versions

Mozilla Firefox for iOS: