CVE-2026-11799: UXSS in Mozilla Focus & Klar iOS – Patch to 151.3.1 Now
A cross-site scripting (XSS) vulnerability affecting Mozilla Focus and Klar for iOS allows attackers to execute arbitrary JavaScript code in the context of visited websites without requiring user interaction. Unlike traditional XSS flaws that target web applications, this Unsafe JavaScript Execution in WebKit (UXSS) vulnerability exploits how the iOS browser engines handle navigation and script execution, potentially exposing sensitive user data or enabling phishing attacks within the browser itself.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 7.5 HIGH · CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
- Weaknesses (CWE)
- CWE-79
- Affected products
- 2 configuration(s)
- Published / Modified
- 2026-06-09 / 2026-06-17
NVD description (verbatim)
UXSS in Focus for iOS / Klar Webkit navigation. This vulnerability was fixed in Focus for iOS 151.3.1 and Klar for iOS 151.3.1.
2 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-11799 is an Unsafe XSS (UXSS) vulnerability in the WebKit navigation layer of Mozilla Focus for iOS and Mozilla Klar for iOS. The flaw stems from improper handling of JavaScript execution during navigation events, allowing attackers to bypass same-origin policy protections. The vulnerability is network-accessible, requires no authentication, and does not depend on user interaction beyond normal browsing—an attacker can trigger code execution simply by directing a user to a malicious website. The CVSS 3.1 vector (7.5, HIGH) reflects high confidentiality impact with no integrity or availability impact, consistent with data exfiltration scenarios.
Business impact
For organizations managing iOS-deployed users—particularly those handling sensitive workflows through mobile browsers—this vulnerability poses a direct risk to user privacy and credential theft. An attacker exploiting UXSS could silently capture authentication tokens, session data, or form inputs across multiple visited sites within a single browsing session. For enterprises with BYOD policies or contractor access via mobile, unpatched Focus/Klar instances become vectors for lateral reconnaissance or credential harvesting. Reputational harm and potential regulatory exposure under privacy frameworks (GDPR, CCPA) may also apply if user data is compromised.
Affected systems
The vulnerability affects Mozilla Focus for iOS and Mozilla Klar for iOS. Both are lightweight, privacy-focused browsers based on WebKit. The flaw impacts all versions prior to 151.3.1. Klar is the European variant of Focus; both share the same codebase and WebKit rendering engine. iOS versions prior to the patched release are in scope; verification of specific iOS OS version dependencies should be confirmed against Mozilla's official advisories.
Exploitability
Exploitability is high. The attack vector is network-based (AV:N), requires no privilege escalation (PR:N), and involves no special access controls (AC:L). Critically, user interaction is not required (UI:N)—an attacker can host a specially crafted webpage that, when visited by a Focus or Klar user, automatically executes JavaScript outside the intended sandbox. No user click, form submission, or opt-in is needed. This passive attack profile makes the vulnerability particularly dangerous in ad-injection scenarios, compromised CDNs, or malicious websites ranked high in search results.
Remediation
Users must upgrade to Focus for iOS version 151.3.1 or later, and Klar for iOS version 151.3.1 or later. These releases contain WebKit navigation fixes that properly isolate JavaScript execution. Organizations should communicate the update urgently to any users or contractors relying on these browsers for work. Since both browsers auto-update on modern iOS devices with App Store enabled, many users may already be protected; however, manual verification is recommended for managed or offline-updated devices.
Patch guidance
Deploy Focus for iOS 151.3.1+ and Klar for iOS 151.3.1+ across managed device fleets. Verify patch installation via Settings > [App Name] > App Version or check the App Store for 'Update Available' status. For organizations with MDM (mobile device management) integration, configure automatic app updates and enforce minimum version policies. Test compatibility with any iOS-based enterprise applications before mass rollout to rule out regression. Document patch deployment timestamps for compliance auditing.
Detection guidance
Monitor for exploitation attempts by analyzing access logs to Focus/Klar during the window before patch deployment. Look for requests to malicious or suspicious domains that coincide with unusual outbound traffic from managed mobile devices. Endpoint detection tools with iOS visibility should flag unpatched instances of Focus or Klar and alert security teams. Behavioral detection—such as unauthorized token or cookie exfiltration—may be difficult without application-level instrumentation; prioritize inventory and version scanning of installed browsers. Review any reported phishing or credential compromise incidents correlating with mobile browser usage for potential UXSS exploitation.
Why prioritize this
HIGH priority due to high confidentiality impact, passive exploitability requiring no user action, and widespread reliance on mobile browsers in modern workforces. Although KEV status is not yet assigned, the ease of exploitation and data exfiltration potential warrant immediate remediation. Organizations with BYOD, contractor, or remote worker programs should treat this as critical. The lack of user-interaction requirements elevates this above typical XSS flaws.
Risk score, explained
CVSS 3.1 score of 7.5 (HIGH) reflects a network-accessible vulnerability with low attack complexity and no authentication barrier. The confidentiality impact is rated HIGH, indicating a reasonable likelihood of sensitive data disclosure. Integrity and availability scores are NONE because the flaw does not modify content or degrade service availability. The score accurately captures the passive nature of the threat—an attacker gains unauthorized read access to session data or injected content without requiring the user to approve or interact with a prompt.
Frequently asked questions
Does this vulnerability affect desktop versions of Firefox or other Mozilla browsers?
No. CVE-2026-11799 is specific to Focus and Klar for iOS and exploits WebKit navigation behavior on Apple's platform. Desktop Firefox uses a different rendering engine (Gecko) and is not affected by this UXSS flaw. However, security teams should still patch any affected iOS installations.
Will a user see any indication that their browser has been compromised by this vulnerability?
Not necessarily. The UXSS flaw executes silently in the background without visual artifacts, pop-ups, or notifications. An attacker could exfiltrate cookies, tokens, or form data without the user's knowledge. This is why proactive patching and monitoring are critical.
Is there a workaround for users who cannot immediately update to 151.3.1?
Temporary mitigation options are limited. Users can restrict browsing to trusted, HTTPS-only sites and avoid clicking external links or visiting unfamiliar domains. However, this does not fully eliminate the risk. The recommended action is to apply the patch as soon as possible. Organizations should prioritize testing and deployment within their fleet.
How is this different from a regular cross-site scripting (XSS) vulnerability?
Traditional XSS vulnerabilities are confined to a single web application and require the attacker to inject malicious code into that application's server. UXSS (Unsafe XSS) exploits the browser itself—specifically WebKit's navigation handling in this case—allowing attackers to execute code across any website visited by the user and bypass normal browser security boundaries. This makes UXSS more dangerous because no specific website is required to be compromised; the attacker controls the vulnerability vector directly.
This analysis is provided for informational purposes and reflects the CVE details and vendor advisories available as of the publication date. Security teams should verify patch availability and compatibility within their specific environments before deployment. No exploit code is provided or endorsed. Organizations should consult Mozilla's official security advisories and their device management policies for authoritative guidance. This vulnerability assessment does not constitute legal or compliance advice; consult relevant regulatory frameworks (GDPR, CCPA, etc.) for data protection obligations. Source: NVD (public-domain), retrieved 2026-07-19. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2026-9308MEDIUMFirefox for iOS Reader View Template Injection (XSS)
- CVE-2026-9309MEDIUMFirefox for iOS Reader View HTML Injection & Parameter Leakage
- CVE-2023-54351HIGHStored XSS in WordPress Sonaar Music Plugin 4.7 – Patch & Detection Guide
- CVE-2025-11262HIGHLink Whisper Free Stored XSS Vulnerability – Analysis & Patch Guidance
- CVE-2025-14773HIGHABB T-MAC Plus XSS Vulnerability – HIGH Risk Assessment
- CVE-2025-15654HIGHFox-themes Prague Reflected XSS Vulnerability – CVSS 7.1 (HIGH)
- CVE-2025-52759HIGHReflected XSS in UnboundStudio Accordion FAQ Plugin (Versions ≤2.2.1)
- CVE-2025-67448HIGHNeterbit NW-431F Router SMS Stored XSS Vulnerability (CVSS 7.1)