Staging Environment: Content and features may be unstable or change without notice.
Search for vulnerabilities
Vulnerability details: VCID-z23q-ts2f-17a3
Vulnerability ID VCID-z23q-ts2f-17a3
Aliases CVE-2006-1942
Summary Normally Mozilla-based clients prevent web content from linking to local files but Eric Foley reports a partial bypass of this restriction by using Windows filename syntax (on a Windows computer) rather than a file:/// URL as the SRC= attribute. The image will not be loaded on the web page--it will appear as a broken image--but if a user can be convinced to right-click and select "View Image" then the content will be loaded. Since the image will replace the current document attacker script cannot be run on it. Loading a local file at a known location is about the extent of this attack.If the local file is a media file an external helper program may be launched to play the media depending on your settings. The action will be the same as if you had clicked on a remote link of the same media type and does not present any additional risk. Local files identified as executable will never be opened in this way, with "executable" broadly defined on windows to include many scriptable document formats with a history of being abused.By referencing a local device rather than a file this could be used as a limited denial-of-service attack to hang the browser.
Status Published
Exploitability None
Weighted Severity None
Risk None
Affected and Fixed Packages Package Details
Weaknesses (0)
There are no known CWE.
System Score Found at
epss 0.0294 https://api.first.org/data/v1/epss?cve=CVE-2006-1942
epss 0.0294 https://api.first.org/data/v1/epss?cve=CVE-2006-1942
epss 0.0294 https://api.first.org/data/v1/epss?cve=CVE-2006-1942
epss 0.0294 https://api.first.org/data/v1/epss?cve=CVE-2006-1942
epss 0.0294 https://api.first.org/data/v1/epss?cve=CVE-2006-1942
epss 0.0294 https://api.first.org/data/v1/epss?cve=CVE-2006-1942
epss 0.0294 https://api.first.org/data/v1/epss?cve=CVE-2006-1942
epss 0.0294 https://api.first.org/data/v1/epss?cve=CVE-2006-1942
epss 0.0294 https://api.first.org/data/v1/epss?cve=CVE-2006-1942
epss 0.0294 https://api.first.org/data/v1/epss?cve=CVE-2006-1942
epss 0.0294 https://api.first.org/data/v1/epss?cve=CVE-2006-1942
epss 0.0294 https://api.first.org/data/v1/epss?cve=CVE-2006-1942
epss 0.0294 https://api.first.org/data/v1/epss?cve=CVE-2006-1942
epss 0.0294 https://api.first.org/data/v1/epss?cve=CVE-2006-1942
epss 0.0294 https://api.first.org/data/v1/epss?cve=CVE-2006-1942
generic_textual low https://www.mozilla.org/en-US/security/advisories/mfsa2006-39
Reference id Reference type URL
https://api.first.org/data/v1/epss?cve=CVE-2006-1942
CVE-2006-1942 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-1942
mfsa2006-39 https://www.mozilla.org/en-US/security/advisories/mfsa2006-39
No exploits are available.
Exploit Prediction Scoring System (EPSS)
Percentile 0.86371
EPSS Score 0.0294
Published At April 1, 2026, 12:55 p.m.
Date Actor Action Source VulnerableCode Version
2026-04-01T13:18:05.743541+00:00 Mozilla Importer Import https://github.com/mozilla/foundation-security-advisories/blob/master/announce/2006/mfsa2006-39.md 38.0.0