PatchSiren cyber security CVE debrief
CVE-2026-53900 Mozilla CVE debrief
A vulnerability was discovered in Firefox for iOS, which preserved cookies set on the initial PDF request across cross-origin HTTP redirects in TemporaryDocument. This allowed a malicious site to inject arbitrary cookies into requests to an unrelated target domain. The vulnerability was fixed in Firefox for iOS 152.0.
- Vendor
- Mozilla
- Product
- Firefox for iOS
- CVSS
- MEDIUM 4.3
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-16
- Original CVE updated
- 2026-06-17
- Advisory published
- 2026-06-16
- Advisory updated
- 2026-06-17
Who should care
Users of Firefox for iOS, particularly those who access the browser from untrusted or public networks, should be aware of this vulnerability and ensure they are running the latest version of the browser.
Technical summary
The vulnerability was caused by the browser's handling of cookies during cross-origin HTTP redirects in TemporaryDocument. This allowed an attacker to inject arbitrary cookies into requests to a target domain, potentially leading to unauthorized access or data theft.
Defensive priority
High
Recommended defensive actions
- Update Firefox for iOS to version 152.0 or later
- Be cautious when accessing sensitive information or making requests to trusted domains from untrusted networks
Evidence notes
The vulnerability was reported to Mozilla and fixed in Firefox for iOS 152.0. The CVE record was published on June 16, 2026.
Official resources
Mozilla has addressed this vulnerability in Firefox for iOS 152.0.