Firefox iOS 151.0 Reader Mode Local Server SSRF
CVE-2026-8706 Published on May 19, 2026

Sensitive user data could be leaked to other applications through Reader mode
Firefox for iOS hosted Reader mode on an unauthenticated local web server, allowing another application on the same device to request arbitrary URLs and receive the response rendered with the signed-in user's cookies. This vulnerability was fixed in Firefox for iOS 151.0.

NVD

Vulnerability Analysis

Attack Vector:

ADJACENT_NETWORK

Attack Complexity:

LOW

Privileges Required:

NONE

User Interaction:

NONE

Scope:

UNCHANGED

Confidentiality Impact:

HIGH

Integrity Impact:

NONE

Availability Impact:

NONE

Weakness Types

Missing Authentication for Critical Function

The software does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources.

What is an Information Disclosure Vulnerability?

The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.

CVE-2026-8706 has been classified to as an Information Disclosure vulnerability or weakness.

Products Associated with CVE-2026-8706

Want to know whenever a new CVE is published for Mozilla Firefox? stack.watch will email you.

Mozilla Firefox

Affected Versions

Mozilla Firefox for iOS:

Version 151.0, <= * is unaffected.

Firefox iOS 151.0 Reader Mode Local Server SSRFCVE-2026-8706 Published on May 19, 2026

Vulnerability Analysis

Weakness Types

Missing Authentication for Critical Function

What is an Information Disclosure Vulnerability?

Products Associated with CVE-2026-8706

Affected Versions

Firefox iOS 151.0 Reader Mode Local Server SSRF
CVE-2026-8706 Published on May 19, 2026