Every CVE whose affected-product data names Mozilla Firefox Focus, ordered by CVSS severity, with EPSS exploit prediction and CISA KEV status.
CVEs (20)
CVE-2025-55031 — CVSS 9.8 (critical): Malicious pages could use Firefox for iOS to pass FIDO: links to the OS and trigger the hybrid passkey transport. An attacker within…
CVE-2023-29534 — CVSS 9.1 (critical): Different techniques existed to obscure the fullscreen notification in Firefox and Focus for Android. These could have led to potential…
CVE-2024-1563 — CVSS 8.1 (high): An attacker could have executed unauthorized scripts on top origin sites using a JavaScript URI when opening an external URL with a custom…
CVE-2026-8945 — CVSS 7.5 (high): Sandbox escape in Firefox and Firefox Focus for Android. This vulnerability was fixed in Firefox 151.
CVE-2023-25743 — CVSS 7.5 (high): A lack of in app notification for entering fullscreen mode could have lead to a malicious website spoofing browser chrome.<br>*This bug…
CVE-2024-0605 — CVSS 7.5 (high): Using a javascript: URI with a setTimeout race condition, an attacker can execute unauthorized scripts on top origin sites in urlbar. This…
CVE-2024-10474 — CVSS 6.5 (medium): Focus was incorrectly allowing internal links to utilize the app scheme used for deeplinking, which could result in links potentially…
CVE-2025-10290 — CVSS 6.5 (medium): Opening links via the contextual menu in Focus iOS for certain URL schemes would fail to load but would not refresh the toolbar correctly…
CVE-2023-29546 — CVSS 6.5 (medium): When recording the screen while in Private Browsing on Firefox for Android the address bar and keyboard were not hidden, potentially…
CVE-2025-55033 — CVSS 6.1 (medium): Dragging JavaScript links to the URL bar in Focus for iOS could be utilized to run malicious scripts, potentially resulting in XSS attacks…
CVE-2024-26284 — CVSS 6.1 (medium): Utilizing a 302 redirect, an attacker could have conducted a Universal Cross-Site Scripting (UXSS) on a victim website, if the victim had a…
CVE-2025-3859 — CVSS 6.1 (medium): Websites directing users to long URLs that caused eliding to occur in the location view could leverage the truncating behavior to…
CVE-2024-0606 — CVSS 6.1 (medium): An attacker could execute unauthorized script on a legitimate site through UXSS using window.open() by opening a javascript URI leading to…
CVE-2025-55032 — CVSS 6.1 (medium): Focus for iOS would not respect a Content-Disposition header of type Attachment and would incorrectly display the content inline…
CVE-2024-8399 — CVSS 4.7 (medium): Websites could utilize Javascript links to spoof URL addresses in the Focus navigation bar This vulnerability affects Focus for iOS < 130.
CVE-2024-5022 — CVSS 4.4 (medium): The file scheme of URLs would be hidden, resulting in potential spoofing of a website's address in the location bar This vulnerability…
CVE-2023-6870 — CVSS 4.3 (medium): Applications which spawn a Toast notification in a background thread may have obscured fullscreen notifications displayed by Firefox. *This…
CVE-2026-2919 — CVSS 4.3 (medium): Malicious scripts could display attacker-controlled web content under spoofed domains in Focus for iOS by stalling a _self navigation to an…