CVE-2026-11799: UXSS in Focus for iOS / Klar Webkit navigation
UXSS in Focus for iOS / Klar Webkit navigation. This vulnerability was fixed in Focus for iOS 151.3.1 and Klar for iOS 151.3.1.
Metrics
- CVSS v3.1
- 7.5
- Severity
- HIGH
- Fixed in
- 151.3.1
- Affected Products
- 2
HarborGuard Analysis
Synopsis
A universal cross-site scripting (UXSS) vulnerability affects Mozilla Focus for iOS and Klar for iOS in their WebKit navigation handling. The flaw is reachable over the network without any authentication or user interaction, allowing a remote attacker to inject and execute arbitrary scripts in the context of any origin within the browser. Successful exploitation gives an attacker full read access to data across browsing contexts, including session tokens, cookies, and page contents. A patched-image rebuild at version 151.3.1 is available on HarborGuard for affected environments.
HarborGuard Coverage
Detection is available across every HarborGuard environment: the CVE is ingested from upstream advisory feeds within minutes of publication and matched against customer images in connected registries and CI/CD pipelines, including custom-built images that bundle Focus for iOS or Klar for iOS components.
AvailableTriage is available with CVSS 7.5 (HIGH) scoring applied automatically, weighted against each customer's per-environment compliance policy; findings are routed to the appropriate team inbox within each customer organization based on configured severity thresholds.
AvailableA patched-image rebuild at Focus for iOS and Klar for iOS version 151.3.1 becomes available as soon as the fix version is matched during the ingest cycle. For customers with auto-remediation enabled, HarborGuard can trigger a rebuild, run a regression test suite against the updated image, and open a pull request against affected workloads.
AvailableExploit Conditions
- Network reachabilityRequired
The attacker must be able to reach the affected application over the network; no local or physical access is needed.
- AuthenticationNot required
No account or credential of any privilege level is needed to trigger the vulnerability.
- Victim interactionNot required
The exploit fires without any action by a user, such as clicking a link or opening a file.
- Attack complexityDetail
The exploit is reliable and condition-free; no race conditions, specific memory layout, or environmental prerequisites are required.
Blast Radius
- Attacker reads session tokens, cookies, and authentication credentials stored in or accessible from any browsing context within the affected browser.
- Attacker reads page contents and form data across arbitrary origins, bypassing the same-origin policy that normally isolates sites from one another.
- Sensitive user data displayed in other open tabs or frames, such as personal account details or financial information, is exposed to the attacker.
How HarborGuard Handles This
Available on HarborGuard: detection fires within minutes of CVE publication, matching this finding against all images in connected customer registries and pipelines. For environments running an affected version of Focus for iOS or Klar for iOS, a rebuilt image at version 151.3.1 is available once the fix is matched during ingest. Where compliance policy permits, customers with auto-remediation enabled receive a rebuilt image, a regression-test run, and a PR opened against affected workloads; for HIGH-severity issues, median time from CVE publication to merged patch PR is around 90 minutes in those environments. Customers who have not opted into auto-remediation can review the finding in the HarborGuard dashboard and trigger a manual rebuild from the affected image detail page.
Fix available
- Mozilla / Focus for iOSFixed in 151.3.1
- Mozilla / Klar for iOSFixed in 151.3.1
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N