What is GHSA-78h4-7j7j-4p28?

GHSA-78h4-7j7j-4p28 is a security advisory published by GitHub Security Advisories with Medium severity. Firefox for iOS displayed specially crafted right-to-left (RTL) and internationalized domain...

Which CVE IDs does GHSA-78h4-7j7j-4p28 cover?

GHSA-78h4-7j7j-4p28 covers the following CVE IDs: CVE-2026-9078. Each CVE has its own detail page on EchelonGraph Pulse with the synthesized EG score.

What is the CVSS v3 score of GHSA-78h4-7j7j-4p28?

GHSA-78h4-7j7j-4p28 has a CVSS v3 base score of 5.4, published by GitHub Security Advisories.

GHSA-78h4-7j7j-4p28MediumCVSS 5.4

Firefox for iOS displayed specially crafted right-to-left (RTL) and internationalized domain...

Vendor

GitHub Security Advisories

Published

May 26, 2026

Last Modified

May 26, 2026

🔗 CVE IDs covered (1)

CVE-2026-9078 →

📋 Description

Firefox for iOS displayed specially crafted right-to-left (RTL) and internationalized domain names (IDNs) incorrectly in link preview UI surfaces. A crafted RTL hostname could visually reorder portions of the displayed domain, causing attacker-controlled sites to appear as trusted origins. This vulnerability was fixed in Firefox for iOS 151.1.

🔗 References (4)

https://nvd.nist.gov/vuln/detail/CVE-2026-9078
https://bugzilla.mozilla.org/show_bug.cgi?id=2029371
https://www.mozilla.org/security/advisories/mfsa2026-52
https://github.com/advisories/GHSA-78h4-7j7j-4p28