Firefox focus

This hub aggregates every CVE we track for Firefox focus, a product in the consumer software space. Use it to gauge the current risk picture and drill into individual advisories.

Severity distribution

Monthly trend

The 15 most recently published vulnerabilities affecting Firefox focus.

• CVE-2026-8945Sandbox escape in Firefox and Firefox Focus for Android7.5May 19, 2026
• CVE-2026-2919Attacker-controlled content shown under spoofed domains in Focus for iOS via stalled navigation and iframe redirect4.3Mar 9, 2026
• CVE-2025-10290Opening links via the contextual menu in Focus for iOS would not update the toolbar UI correctly, allowing attackers to spoof websites6.5Sep 16, 2025
• CVE-2025-55033Drag and drop gestures in Focus for iOS could allow JavaScript links to be executed incorrectly6.1Aug 19, 2025
• CVE-2025-55032Focus incorrectly ignores Content-Disposition headers for some MIME types6.1Aug 19, 2025
• CVE-2025-55031Passkey phishing within Bluetooth range9.8Aug 19, 2025
• CVE-2025-3859Firefox Focus elide URL allows address bar spoofing6.1Apr 30, 2025
• CVE-2024-10474Focus was incorrectly allowing internal links to utilize the app scheme used for deeplinking, which could result in links potentially circumventing some URL safety checks This vulnerability affects...6.5Oct 29, 2024
• CVE-2024-8399Websites could utilize Javascript links to spoof URL addresses in the Focus navigation bar This vulnerability affects Focus for iOS < 130.4.7Sep 3, 2024
• CVE-2024-5022The file scheme of URLs would be hidden, resulting in potential spoofing of a website's address in the location bar This vulnerability affects Focus for iOS < 126.4.4May 17, 2024
• CVE-2024-26284Utilizing a 302 redirect, an attacker could have conducted a Universal Cross-Site Scripting (UXSS) on a victim website, if the victim had a link to the attacker's website. This vulnerability affect...6.1Feb 22, 2024
• CVE-2024-1563An attacker could have executed unauthorized scripts on top origin sites using a JavaScript URI when opening an external URL with a custom Firefox scheme and a timeout race condition. This vulnerab...8.1Feb 22, 2024
• CVE-2024-0606An attacker could execute unauthorized script on a legitimate site through UXSS using window.open() by opening a javascript URI leading to unauthorized actions within the user's loaded webpage. Thi...6.1Jan 22, 2024
• CVE-2024-0605Using a javascript: URI with a setTimeout race condition, an attacker can execute unauthorized scripts on top origin sites in urlbar. This bypasses security measures, potentially leading to arbitra...7.5Jan 22, 2024
• CVE-2023-6870Applications which spawn a Toast notification in a background thread may have obscured fullscreen notifications displayed by Firefox. *This issue only affects Android versions of Firefox and Firef...4.3Dec 19, 2023