CVE-2025-3839

HIGH 8.0

Epiphany: insecure external protocol invocation in epiphany

CVSS Score

8.0

EPSS Score

0.0%

EPSS Percentile

0th

A flaw was found in Epiphany, a tool that allows websites to open external URL handler applications with minimal user interaction. This design can be misused to exploit vulnerabilities within those handlers, making them appear remotely exploitable. The browser fails to properly warn or gate this action, resulting in potential code execution on the client device via trusted UI behavior.

CWE	CWE-356
Published	Jan 23, 2026
Last Updated	Jan 23, 2026

Stay Ahead of the Next One

Get instant alerts for

Be the first to know when new high vulnerabilities are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N

Attack Vector

Network

Attack Complexity

High

Privileges Required

None

User Interaction

Required

Scope

Changed

Confidentiality

High

Integrity

High

Availability

None

References

NVD ↗ CVE.org ↗ EPSS Data ↗

access.redhat.com: https://access.redhat.com/security/cve/CVE-2025-3839 bugzilla.redhat.com: https://bugzilla.redhat.com/show_bug.cgi?id=2361430

Credits

Red Hat would like to thank Michael Catanzaro for reporting this issue.