Staging Environment: Content and features may be unstable or change without notice.
Search for vulnerabilities
Vulnerability details: VCID-3g7q-89gg-hkb5
Vulnerability ID VCID-3g7q-89gg-hkb5
Aliases CVE-2009-1306
Summary Mozilla developer Daniel Veditz reported that when the jar: scheme is used to wrap a URI which serves the content with Content-Disposition: attachment, the HTTP header is ignored and the content is unpacked and displayed inline. A site may depend on this HTTP header to prevent potentially untrusted content that it serves from executing within the context of the site. An attacker could use this vulnerability to subvert sites using this mechanism to mitigate content injection attacks.This vulnerability has not been fixed on the Mozilla 1.8.1 branch, which is used to build Firefox 2 and Thunderbird 2. However, note that there are several mitigating factors which prevent easy exploitation of this issue. In order for a website to be exploitable it must:
Status Published
Exploitability None
Weighted Severity None
Risk None
Affected and Fixed Packages Package Details
Weaknesses (0)
There are no known CWE.
System Score Found at
epss 0.01841 https://api.first.org/data/v1/epss?cve=CVE-2009-1306
generic_textual none https://www.mozilla.org/en-US/security/advisories/mfsa2009-16
Reference id Reference type URL
https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2009-1306.json
https://api.first.org/data/v1/epss?cve=CVE-2009-1306
496262 https://bugzilla.redhat.com/show_bug.cgi?id=496262
CVE-2009-1306 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1306
GLSA-201301-01 https://security.gentoo.org/glsa/201301-01
mfsa2009-16 https://www.mozilla.org/en-US/security/advisories/mfsa2009-16
RHSA-2009:0436 https://access.redhat.com/errata/RHSA-2009:0436
RHSA-2009:0437 https://access.redhat.com/errata/RHSA-2009:0437
RHSA-2009:1125 https://access.redhat.com/errata/RHSA-2009:1125
RHSA-2009:1126 https://access.redhat.com/errata/RHSA-2009:1126
USN-764-1 https://usn.ubuntu.com/764-1/
USN-782-1 https://usn.ubuntu.com/782-1/
No exploits are available.
Exploit Prediction Scoring System (EPSS)
Percentile 0.83277
EPSS Score 0.01841
Published At May 29, 2026, 12:55 p.m.
Date Actor Action Source VulnerableCode Version
2026-05-29T08:27:38.361379+00:00 Mozilla Importer Import https://github.com/mozilla/foundation-security-advisories/blob/master/announce/2009/mfsa2009-16.md 38.6.0