DEBIAN-CVE-2025-3839

See a problem?
Please try reporting it to the source first.

Source

https://security-tracker.debian.org/tracker/CVE-2025-3839

Import Source

https://storage.googleapis.com/debian-osv/debian-cve-osv/DEBIAN-CVE-2025-3839.json

JSON Data

https://api.osv.dev/v1/vulns/DEBIAN-CVE-2025-3839

Upstream

CVE-2025-3839

Published

2026-01-23T05:16:21.753Z

Modified

2026-01-24T05:15:40.235667Z

Severity

8.0 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N CVSS Calculator

Summary

[none]

Details

A flaw was found in Epiphany, a tool that allows websites to open external URL handler applications with minimal user interaction. This design can be misused to exploit vulnerabilities within those handlers, making them appear remotely exploitable. The browser fails to properly warn or gate this action, resulting in potential code execution on the client device via trusted UI behavior.

References

https://security-tracker.debian.org/tracker/CVE-2025-3839

Affected packages

Debian:11 / epiphany-browser

Package

Name: epiphany-browser
Purl: pkg:deb/debian/epiphany-browser?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

3.*

3.38.2-1

3.38.2-1+deb11u1

3.38.2-1+deb11u2

3.38.2-1+deb11u3

Other

40~beta-1

40~rc-1

41~beta-1

41~rc-1

42~beta-1

42~beta-2

43~beta-1

43~rc-1

44~rc-1

45~beta-1

46~alpha-1

46~beta-1

47~beta-1

47~rc-1

48~beta-1

48~rc-1

48~rc-2

40.*

40.0-1

40.0-2

40.1-1

40.2-1

40.3-1

40.3-2

41.*

41.0-1

41.0-2

41.2-1

41.3-1

41.3-2

42.*

42.0-1

42.0-2

42.1-1

42.2-1

42.3-1

42.4-1

43.*

43.0-1

43.0-2

43.1-1

44.*

44.0-1

44.1-1

44.2-1

44.3-1

44.5-1

44.5-2

44.6-1

45.*

45.0-1

45.1-1

45.2-1

46.*

46.0-1

46.0-2

46.1-1

46.2-1

46.3-1

47.*

47.0-1

47.2-1

48.*

48.0-1

48.1-1

48.2-1

48.3-1

48.3-2

48.5-1

48.5-2

48.5-3

49.*

49.0-1

49.1-1

49.2-1

49.2-2

49.2-3

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Database specific

source

"https://storage.googleapis.com/debian-osv/debian-cve-osv/DEBIAN-CVE-2025-3839.json"

Debian:12 / epiphany-browser

Package

Name: epiphany-browser
Purl: pkg:deb/debian/epiphany-browser?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

43.*

43.1-1

Other

44~rc-1

45~beta-1

46~alpha-1

46~beta-1

47~beta-1

47~rc-1

48~beta-1

48~rc-1

48~rc-2

44.*

44.0-1

44.1-1

44.2-1

44.3-1

44.5-1

44.5-2

44.6-1

45.*

45.0-1

45.1-1

45.2-1

46.*

46.0-1

46.0-2

46.1-1

46.2-1

46.3-1

47.*

47.0-1

47.2-1

48.*

48.0-1

48.1-1

48.2-1

48.3-1

48.3-2

48.5-1

48.5-2

48.5-3

49.*

49.0-1

49.1-1

49.2-1

49.2-2

49.2-3

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Database specific

source

"https://storage.googleapis.com/debian-osv/debian-cve-osv/DEBIAN-CVE-2025-3839.json"

Debian:13 / epiphany-browser

Package

Name: epiphany-browser
Purl: pkg:deb/debian/epiphany-browser?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

48.1-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Database specific

source

"https://storage.googleapis.com/debian-osv/debian-cve-osv/DEBIAN-CVE-2025-3839.json"

Debian:14 / epiphany-browser

Package

Name: epiphany-browser
Purl: pkg:deb/debian/epiphany-browser?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

48.1-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Database specific

source

"https://storage.googleapis.com/debian-osv/debian-cve-osv/DEBIAN-CVE-2025-3839.json"